In a few months’ time, on May 25th 2018, the EU’s General Data Protection Regulation (GDPR) will take effect. The new regulation will replace the UK Data Protection Act 1998. The legislation is being put into place to protect the rights of an individual in how they control their personal information that’s collected and processed – alongside new obligations for organisations in how they process the data, being more accountable for data protection.
You can read the full 88 page long / 99 articles regarding GDPR here detailing rules for the protection of personal data inside and outside the EU.
One thing to be aware of is that GDPR is not a choice and affects everyone. Companies and organisations will need to go beyond just their data security and policies before the deadline is here in May. It means that training and awareness needs to be shared amongst businesses and employees to ensure that compliance. Companies who work with third-party data will need to be vigilant and be mindful of their role in the new legislation too.
Being able to demonstrate GDPR compliance is a big part of the process. It will also encompass having legal grounds to hold personal data and processing that data which needs to show complete transparency in its actions. Key points to highlight are the following:
- GDPR applies to personal and sensitive data
- There must be clear consent to process personal data
- A person can access to their data at any time
- The GDPR applies to all EU organisations whether commercial business, charity or public authority – that collect, store or process the personal data of individuals residing in the EU, even if they’re not EU citizens.
- Stricter safeguards will be in place to transfer data outside of the EU
- There will be one set of rules for the whole EU
In the past year alone, there have been a number of data breaches reported and in the eyes of the new GDPR legislation, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator – in the case of the UK, the ICO – where it could have a detrimental impact on those who it is about. This can include, but isn’t limited to, financial loss, confidentiality breaches, damage to reputation and more. The ICO has to be told about a breach 72 hours after an organisation finds out about it and the people it impacts also need to be told.
As well as organisations complying with the new rules, there is a lot more power being given to individuals being able to access their data and when someone asks a business for their data, they must provide the information within one month.
One of the most talked about aspects of GDPR is the fine process for non-compliance from organisations. Fines can be given for:
- Not processing an individual’s data the correct way
- An organisation not having a data protections officer in place
- Having a security breach.
There is much to take on board and the ICO will work with businesses to improve their practices to make it happen correctly. Although this is a big subject, businesses who are already complying with data protection will likely already be meeting many of the GDPR principles. If you are within this, you should have nothing to fear.
It is important to start planning your approach to GDPR now and to ensure that your business is compliant before May 2018, putting into place procedures and policies that will give transparency for all parties involved.
Always be open and honest with your clients, making clear communications with them about any data that you hold, which is accessible to them at any time. And ensure that they have given you permission to use their data before you process any of it.
As a trusted accountancy company looking after a wide range of clients, you can be assured that we are ensuring complete compliance before GDPR takes place in our role as ‘data controller and data processor’.
For more advice on the subject, feel free to get in touch.