New Data Protection Regulations – Are you ready?

Posted by Moore & Smalley

Mon 31st, Jul

Data protection has always been considered a key concern for big business. High profile data breaches in recent years highlight the scale on which data is now gathered and the risks inherent with collection of data en masse.

It has been almost two decades since the UK Data Protection Act was introduced in 1998. Since then, the internet has become critical to the success of most, if not all, organisations. Furthermore, the rise of social media and cloud storage have dramatically changed how an organisation markets its products and services.

However, data protection may not have been at the top of the small business owner’s ever-growing list of priorities. With the introduction of the EU General Data Protection Regulation (GDPR) on 25 May 2018, this will need to change.

What is GDPR?

The General Data Protection Regulation (GDPR) is the new EU privacy directive designed to harmonise data protection practice across Europe. The new legislation will offer more protection to citizens and their data. Individuals will be required to give explicit consent for their data to be collected and organisations will need to be clear as to their intended use of the information; gathering data without any purpose will no longer be possible.

GDPR will also enable the existing right of individuals under the UK Data Protection Act to request access to their private information, giving individuals the right to have their information removed from any record where their personal data is held with no compelling reason.

This means that all businesses will have new obligations and responsibilities and consideration needs to be given now as to how they will comply before GDPR comes into force next year.

But won’t Brexit mean my business doesn’t need to comply?

The Government has confirmed that the decision to leave the EU will not affect the introduction of GDPR; significantly, the legislation will apply to any organisation supplying goods and services to EU citizens and so any UK business exporting to the EU will need to comply irrespective of Brexit (‘hard’, ‘soft’ or otherwise).

For businesses whose activities are limited to the UK, following Brexit, the position is less clear but the Government has suggested that even after Brexit, equivalent legislation will be brought into effect.

The regulations will also apply irrespective of size, meaning listed companies and SMEs will be subject to the same rules.

What will my business need to do?

In order to ensure the regulations are adhered to, some business will need to appoint a Data Protection Officer (DPO). The DPO will need to be external to the IT function and will normally be a director or other individual in a position of significant influence. The appointment of a DPO is specifically required for certain types of organisation (see website of the Information Commissioner’s Office (ICO) for more details https://ico.org.uk/for-organisations/data-protection-reform/). The need to appoint a DPO should be assessed on a case-by-case basis.

A key business activity affected by GDPR is sales and marketing. Businesses that regularly run email marketing campaigns will need to be able to demonstrate that recipients have explicitly opted in to receive your marketing electronically by keeping a formal record of when, where and how the opt in was made.

GDPR also means that robust processes must be established for detecting and responding to data breaches. Any breaches will need to be reported to the ICO within 72 hours.

We would therefore recommend conducting a review of how your business would respond in the event of a data breach and start formulating a plan for implementing any improvements.

So what next?

In the short term, we recommend taking the following steps:

• Designate someone within your business to take responsibility for compliance with GDPR and ensure they’re properly trained.

• Establish what personal data your business is storing and how.

• Assess how your business would respond in the event of a breach – could any improvements be made?

• Make sure you understand the regulations – the ICO website provides a wealth of information on GDPR, including a 12-step guide on how to prepare for the new legislation. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf.

 

This article originally appeared on the blog of MHA member firm, Larking Gowen.

Leave a comment

Give Your Business Utilities a Refresh for 2020

Mon 20th, Jan

January is a time for reflection for most people and this includes business owners, with the new year bringing with it an opportunity to take stock of performance during the past 12 months, create goals for the year ahead, and ensure...

The Inspired Energy Journey: Building a Business to Meet Diverse Needs

Mon 20th, Jan

Since its inception back in 2000, Inspired Energy has been working tirelessly to build the most complete utilities management solution available – a solution that can meet the diverse needs of businesses of all sizes and across all sectors.

What did the Millennium Bug teach us about cybersecurity?

Thu 09th, Jan

It’s hard to believe that two decades have passed - but 20 years ago the world was celebrating a momentous non-event. We remember it well!

Why Should You Check Your Business Energy Bills?

Wed 18th, Dec

Business energy bills are complex, there’s no doubt about that. With a widening range of non-commodity costs now taking up a majority share of the invoice, it can be be both confusing and time consuming to effectively recognise whether your...

Green Energy – Going Green Doesn’t Have to Cost the Earth

Wed 18th, Dec

In the third quarter of 2019, electricity generated in the UK via renewable energy sources surpassed electricity derived from fossil fuels for the first time.