New Data Protection Regulations – Are you ready?

Posted by Moore & Smalley

Mon 31st, Jul

Data protection has always been considered a key concern for big business. High profile data breaches in recent years highlight the scale on which data is now gathered and the risks inherent with collection of data en masse.

It has been almost two decades since the UK Data Protection Act was introduced in 1998. Since then, the internet has become critical to the success of most, if not all, organisations. Furthermore, the rise of social media and cloud storage have dramatically changed how an organisation markets its products and services.

However, data protection may not have been at the top of the small business owner’s ever-growing list of priorities. With the introduction of the EU General Data Protection Regulation (GDPR) on 25 May 2018, this will need to change.

What is GDPR?

The General Data Protection Regulation (GDPR) is the new EU privacy directive designed to harmonise data protection practice across Europe. The new legislation will offer more protection to citizens and their data. Individuals will be required to give explicit consent for their data to be collected and organisations will need to be clear as to their intended use of the information; gathering data without any purpose will no longer be possible.

GDPR will also enable the existing right of individuals under the UK Data Protection Act to request access to their private information, giving individuals the right to have their information removed from any record where their personal data is held with no compelling reason.

This means that all businesses will have new obligations and responsibilities and consideration needs to be given now as to how they will comply before GDPR comes into force next year.

But won’t Brexit mean my business doesn’t need to comply?

The Government has confirmed that the decision to leave the EU will not affect the introduction of GDPR; significantly, the legislation will apply to any organisation supplying goods and services to EU citizens and so any UK business exporting to the EU will need to comply irrespective of Brexit (‘hard’, ‘soft’ or otherwise).

For businesses whose activities are limited to the UK, following Brexit, the position is less clear but the Government has suggested that even after Brexit, equivalent legislation will be brought into effect.

The regulations will also apply irrespective of size, meaning listed companies and SMEs will be subject to the same rules.

What will my business need to do?

In order to ensure the regulations are adhered to, some business will need to appoint a Data Protection Officer (DPO). The DPO will need to be external to the IT function and will normally be a director or other individual in a position of significant influence. The appointment of a DPO is specifically required for certain types of organisation (see website of the Information Commissioner’s Office (ICO) for more details https://ico.org.uk/for-organisations/data-protection-reform/). The need to appoint a DPO should be assessed on a case-by-case basis.

A key business activity affected by GDPR is sales and marketing. Businesses that regularly run email marketing campaigns will need to be able to demonstrate that recipients have explicitly opted in to receive your marketing electronically by keeping a formal record of when, where and how the opt in was made.

GDPR also means that robust processes must be established for detecting and responding to data breaches. Any breaches will need to be reported to the ICO within 72 hours.

We would therefore recommend conducting a review of how your business would respond in the event of a data breach and start formulating a plan for implementing any improvements.

So what next?

In the short term, we recommend taking the following steps:

• Designate someone within your business to take responsibility for compliance with GDPR and ensure they’re properly trained.

• Establish what personal data your business is storing and how.

• Assess how your business would respond in the event of a breach – could any improvements be made?

• Make sure you understand the regulations – the ICO website provides a wealth of information on GDPR, including a 12-step guide on how to prepare for the new legislation. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf.

 

This article originally appeared on the blog of MHA member firm, Larking Gowen.

Leave a comment

Why now is the right time to take IoT seriously

Mon 27th, Jul

Guest blog by Alan Nunn – Communications Subject Matter Expert at CGI

How IoT can create a sustainable future for water

Mon 27th, Jul

Guest blog by Graham Hainsworth – Director Consulting in CGI’s Water Sector Business

Happy 9th Birthday 6th Door Ltd

Tue 19th, May

As I’m leaning on the stand-up desk in my makeshift home office, that over the weeks has been turned into a video and podcast recording studio

How to take back control of your water costs

Fri 13th, Mar

While most businesses already have a comprehensive strategy in place for their electricity and gas consumption, water management is often overlooked.

How to choose an energy consultancy

Fri 13th, Mar

Most business owners recognise the advantages of shopping around for the best energy deal, but without the time, resource and expertise to find the best tariff, it can be an almost impossible task.

Business energy: Don’t get caught out by rollover rates

Fri 13th, Mar

As a busy business owner, you may feel there are not enough hours in the day to secure your next energy contract. You know you’ll get around to it, but when you’ll get around to it is another matter.

Business water matters – Top 3 water saving tips

Fri 13th, Mar

Water is often referred to as ‘the forgotten utility’. While many large businesses are clearly focussed on their comprehensive energy strategies, it seems many are yet to implement a strategy around managing their water usage.

Know where your cloud data is stored or risk a GDPR fine

Thu 27th, Feb

For businesses who have chosen cloud-based data hosting services there’s a temptation to relax and think “great, we’re paying someone else to take care of our data, we don’t need to worry about it any more.”

Transparency plans could slow down region’s business growth

Thu 27th, Feb

Efforts by regional start-up initiatives that have led to Merseyside outperforming the rest of the UK when it comes to business growth could be hampered by new government proposals, a leading legal expert has claimed.

Backup or risk losing your business

Thu 13th, Feb

Maintaining a robust backup is hard work, it’s important to not only build the correct solution for your business and trust your IT support provider to look after it, but to also maintain a sense of urgency as a business owner to...