Our second event of 2018 was held at the newly refurbished NFBP member venue Beaulieu Hotel last Wednesday (24 January). With such an important topic it was no surprise that the breakfast sold out.
Simon Humphreys from South Coast Data Protection Consultants delivered the GDPR presentation which gave delegates important information about the upcoming General Data Protection Regulation. The information is summarised below.The new data protection legislation comes into force on 25 May 2018, less than 4 months away and it will have an impact on how you manage your businesses and handle personal information. It provides greater rights to individuals and stricter requirements on businesses.
You will need to be able to justify how you obtain, hold, communicate and dispose of personal information and be able to provide documentary evidence that you and your staff understand the new law and comply with the requirements.
In addition, there will harsher penalties. The current monetary penalty is £500,000 under the General Data Protection Regulations (GDPR) the penalty will be €20,000,000 which is £17,000,000 on the current exchange rate or 4% of global turnover, whichever is greater.
As a business you should document what personal information you hold, not just information about your clients but also the details you hold about your staff.
- You need to know where the information come from.
- Is it still accurate and up to date?
- Who do you share the information with and do you have appropriate contracts with data protection clauses?
- Have you considered the privacy notices that you provide?
To ensure that you are ready for the new law, you need comply with the existing legislation otherwise the step up could be considerable.
As a business you should provide privacy notices to individuals when you process their personal information, explaining what you are doing with their data. These notices should be reviewed to ensure they are fit for purpose and accurate. The new legislation makes significant changes and requires you to provide considerably more information to individuals.
This information includes but is not restricted to:
- What you are doing with the information
- Who you are passing it to and why
- How long are you going to keep the information and the legal basis
- How you are going to dispose of it
You have obligations under the existing legislation with regard to the rights of individuals. These rights will increase under the new law including a reduced timescale for the provision of information if a Subject Access Request is made. Under GDPR you have 30 days to process any request and you cannot charge a fee.
You need to have a policy so that your staff understand their responsibilities and to ensure you comply with your obligations. You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
The GDPR requires all businesses to be able to demonstrate they have a legal basis for processing personal information and for them to document it. All processing must be justified. The new legislation puts a greater obligation on you to prove that you have the required legal basis for processing personal information. The requirements in relation to consent are far stronger under the new legislation. You need to review how you are seeking, obtaining and recording consent and whether you need to make any changes. You will need to be able to demonstrate that consent was freely given, by clear, affirmative, action and must be specific, informed and unambiguous.
You should start now to make sure you have the right procedures in place to detect, report and investigate a personal data breach. Under the new law, you will be required to report certain data breaches to the Information Commissioner’s Office within 72 hours. Also, if there is a significant risk of harm you may have to inform the individuals whose data has been subject of the breach directly.
It has always been good practice to adopt a privacy by design approach and to carry out a privacy impact assessment. However, the new law will make this an express legal requirement. You will need to be able to demonstrate that you have considered any risks to the security of personal information in high risk situations or when you are considering introducing new technology. Any new system should be designed to ensure that only the minimum amount of information required is obtained.
How can South Coast Data Protection Consultants help?
We can assist your business by providing:
- Audit/Compliance Reviews
- Policies and Procedures
- Consultancy Service
Contact South Coast Data Protection Consultants:
For more information please visit their website www.scdpc.co.uk