General Data Protection Regulation (GDPR) – time for a spring clean

LET’S face it, nobody likes doing spring cleaning. Okay, there might be that one cheery person in your office who likes to brandish a feather duster and rubber gloves and get stuck in, but it’s a chore most of us would rather not face.

The General Data Protection Regulation (GDPR) which comes into effect at the end of May will require companies to spruce up their data processing practices, so it might be a good idea to review your own firm’s data handling.

When you consider that the Data Protection Act, which the GDPR has been designed to replace, came into law in 1998, it’s clear there is a need to bring things up-to-date. So much has changed in the last 20 years in the way an individual’s data is stored and used, not to mention to amount of data which can be held on one person.

In order to protect individuals’ rights to access the data which is held on them, the EU have drawn up these new regulations which have been designed to keep up with 21st century technology.

The GDPR will be brought into UK law in the form of the Data Protection Bill, which will ensure the new law remains enforceable even after the UK leaves the European Union.

The law comes into force in the UK and across the EU on May 25, so if you haven’t already taken steps to prepare your business for the change, it’s time to get your skates on.

In early March, the Federation of Small Businesses (FSB) told the Financial Times that it estimates that just one in 10 British business are fully prepared for the introduction of the GDPR.

According to the FSB’s findings, around two-thirds of businesses had either not started preparations for the introduction of GDPR or had done only minimal work on it.

The most worrying aspect of this is that fines for breaching the regulations are much greater than those for violating the old Data Protection Act.

Previously, the Information Commissioner’s Office (ICO) could only impose fines up to a maximum of £500,000. The new regulations allow for maximum fines of £17m or 4 per cent of a company’s worldwide turnover.

The FSB have appealed to the ICO for a settling in period to allow businesses to get used to the new law without risking crippling fines. This could involve an element of self-reporting by a company that feels it has breached the law without being subjected to sanctions.

However, it is not clear at this stage if the ICO is open to such a move and therefore it is imperative that all companies get their house in order by the end of May.

So what can you do?

Well, the first thing to do is conduct a spring clean of the information you hold on your customers or potential clients. A data audit is the best way to work out what information you hold and for what purpose.

While GDPR is a uniform set of regulations designed to make data processing more transparent and manageable, no two companies are the same and what might be applicable to one may not be to another.

When conducting a data audit you should also take the time to make sure everyone in your company understands the new regulations, not just those who directly handle data.

If you have not done so already, it may be a good idea to appoint a data protection officer so everyone in your firm knows there is a point person for all data enquiries.

When considering information, you should be able to provide explanation as to why you hold this data and if you are not sure, or simply no longer need the data, delete.

Companies must also have a clear procedure in place for dealing with requests from the public for access to the records you hold on them. They must also have plans in place for handling breaches of data security and ways to detect the threat of such breaches.

It is also essential to keep an eye on data involving children and are able to prove reasons for holding such information.

Advances is technology have made these regulations necessary and although many aspects of the old Data Protection Act remain, there are number of differences and areas which the UK has given specific focus to.

These include the processing of data relating to criminal convictions and offences. GDPR allows only bodies vested with official authorities to process personal information connected to criminal activity.

The regulations also allow for automated processing of personal data providing necessary precautions have been taken and a company can justify the practice.

The government has also set 13 as the minimum age at which a person can consent to their personal data being processed.

There will be certain exemptions to the regulations which include universities, research organisations and museums.

So, there’s no time like the present to dust down your existing data processing practices and make sure they fit the bill when the shiny new regulations come into force later in the spring.