As you are no doubt aware, a new set of data protection laws come into effect this May called the ‘General Data Protection Regulation’ (GDPR). These new regulations have in fact already been in place for 2 years, however, on May 25th the grace period is up and companies can be fined up to 4% of turnover for noncompliance!
Well, if you store any identifiable personal data of clients or consumers, then yes. For example, if you have any databases that hold names, email lists, contact numbers or addresses, you can be held liable.
A common issue which affects us here at Red C is if you manage personal data on behalf of clients. In this case, you are deemed a ‘data processor’ and are jointly liable with your client, the ‘data controller’, for any breach.
Although the GDPR regulations seem large and complex, they are not really that onerous, as most parts are down to common sense - things you should already be doing. The main focus of GDPR is the right of the individual over the personal data you hold on them. Therefore, you need consent for all the personal data you store, you need to inform people what you will be using their data for, how you are storing it and how long you are keeping it for. In fact, what you really need is a system in place that can provide users with the data you hold on them and erase their data should they request so.
The other areas GDPR covers is data governance. This means that you need to be able to demonstrate that you have taken reasonable and appropriate measures to secure and protect the data you hold. This means reviewing all your IT systems to make sure they are secure and ensuring that only the necessary people have access to the required data to perform their job role. If you have a new project or initiative that involves storing personal data, for example, a marketing campaign or new website or app, you should create a Privacy Impact Assessment (PIA) to determine any risks to personal data and what you will do to mitigate these risks.
GDPR recommends, and in some cases, it is a legal obligation, that you appoint a ‘Data Protection Officer’ (DPO) - someone to oversee this process in your business. The DPO has the unenviable task of being responsible for the data protection activities of your business.
Well yes, the fines that could be imposed should you have a data breach are pretty substantial, especially if you cannot show you have taken steps to become GDPR compliant. Additionally, many larger companies will insist that anyone they work with must be GDPR compliant.
The best way to look at GDPR is an opportunity to take a fresh look at the data you store. In fact, you may well have personal records stretching back years which you no longer need or use. Deleting old personal data and making sure any personal data you do hold is held securely is something every business should do. Think of GDPR as a timely reminder to get your systems in order.
If you want to find out more, here is a good place to start: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Red C is currently in the process of building an online tool to take the pain out of the GDPR process. Get in touch to find out more!