By now, you will have no doubt heard about GDPR, the new data protection rules that came into force on 25 May. Since this date, any organisation which stores and uses personal data must comply with the new, stricter regulations. Here’s what you should know.
The organisation with responsibility for enforcing GDPR compliance is the Information Commissioner’s Office (ICO). Its stance on GDPR is that the new rules are ‘a huge opportunity for you, as small businesses, to get information handling right’.
Greater protection under GDPR
GDPR replaces the Data Protection Act (DPA), and significantly raises the bar on how personal data is handled. There are several key changes that will ensure greater protection for individuals. These include:
- an expanded definition of personal data, based on a wider range of personal identifiers
- the need to identify a lawful basis for processing personal data
- a range of new rights for the individual, including the ‘right to be forgotten’.
Data controllers and data processors
Another important change is that GDPR applies to both data controllers (those responsible for how and why data is handled) and data processors (those who process the data on behalf of a controller).
Under GDPR, data processors must keep records of all personal data and processing activities. They also have more legal liability for any breaches. Data controllers must ensure that contracts with processors comply with GDPR.
In the ICO’s words, businesses that were already DPA-compliant will be ‘well on the way’ to GDPR compliance but they will need evidence that shows they are implementing the new rules. There are significant fines for businesses that fail to comply.
Information Commissioner, Elizabeth Denham, acknowledges that ‘there are particular challenges for small organisations in preparing for the new law’ but any company that handles data must take steps to ensure compliance. ‘All organisations are different … whether you’re a micro-brewery with 20 staff, or a tech start-up with 200, you can get it right.’
If you have any concerns that you may not yet be complying with GDPR, we would be happy to advise.
For information of users: This material is published for the information of clients. It provides only an overview of the regulations in force at the date of publication, and no action should be taken without consulting the detailed legislation or seeking professional advice. Therefore no responsibility for loss occasioned by any person acting or refraining from action as a result of the material can be accepted by the authors or the firm.