The EU General Data Protection Regulation (GDPR) comes into force in the UK in May 2018 and is anticipated to have a significant impact on businesses across the country.
The GDPR is a replacement for the Data Protection Act 1998, and will apply to all organisations that process, handle and store any personal data of EU residents.
These new regulations mean businesses are required to gain consent for all data collected from individuals, and provide clear and comprehensive privacy notices to help these individuals understand what they are opting into. Crucially, organisations of all sizes need to be able to prove that consent was given if they want to process any form of personal data.
Ultimately, the GDPR regulations mean increased powers for European Supervisory Authorities, including the ability to impose financial penalties of up to €20 million or four percent of the business’ worldwide annual turnover, for non-compliance or breaches.
With this in mind Ebuyer has created a compliance checklist to help business owners avoid the potentially disastrous consequences of a compliance failure:
Begin compliance discussions now with key people in your organisation.
Document the personal data your organisation holds, where it came from and who it is shared with.
Review your privacy notices. Under the GDPR, you will need to clearly identify the lawful basis for processing customer data, as well as how long you will retain it for and the customer’s right to complain about how you are using it.
Have a robust process in place for locating and deleting individual customers’ data, if and when requested.
Be aware of the new right to ‘data portability’. This means individuals have the right to request their personal data in a commonly-used, machine-readable format, provided to them free of charge and within one month.
Review how you seek, record and manage consent for data collection. Remember consent must be explicitly provided: assumption of consent (for instance, via pre-ticked boxes on a web form) can breach regulations.
Review how you will verify individuals’ ages, and how you will obtain parental consent to process the data of under-13s if required.
Reinforce your existing data breach reporting procedures to ensure your organisation can meet the new timelines.
Take steps to appoint a data protection officer if you are required to, and consider who should be trained in, and responsible for, GDPR compliance even if not.
Amber Smith, head of sales at Ebuyer.com says, ‘The new GDPR regulations will have a significant impact on small businesses, who will need to begin taking steps to achieve compliance as soon as possible. But it’s not just SMEs who need to begin making these changes, as the law applies to all companies regardless of size, from sole traders to multinationals.
‘This year’s ransomware attacks should already have emphasised the need for businesses to invest in robust antivirus and cybersecurity measures, but in case they didn’t, hopefully the GDPR and its new penalties for non-compliance will.’