The General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and will build upon the Data Protection Act 1998 (DPA 1998). It is important for UK businesses to plan for the GDPR and begin implementing the necessary changes to business practices and procedures as early as possible to ensure compliance once the GDPR becomes effective.

WHAT WILL GDPR mean to my business?

The GDPR will apply to most businesses. If you obtain and hold personal information relating to any living individual, including your existing and prospective customers and employees, then the GDPR will apply to your business. The GDPR imposes direct obligations on data processors as well as data controllers so it will apply whether your business processes personal data or controls how the data is processed.

DOES MY BUSINESS HOLD INFORMATION THAT IS CLASSIFIED AS ‘PERSONAL DATA’?

The definition of ‘personal data’ is wider than before and includes any information which either directly identifies an individual or which can be used to identify an individual. Such information includes names, dates of birth and addresses including online identifiers such as IP addresses.

Most businesses hold at least some personal data, whether it relates to their clients, employees or their contacts. It is imperative that businesses carry out an assessment of what information they hold and what changes, if any, should be made to ensure compliance with the GDPR.

WHAT OBLIGATIONS DOES THE GDPR IMPOSE ON ME AS A BUSINESS OWNER?

The GDPR requires data controllers to include specified data protection obligations in processing contracts. It also requires businesses to be able to demonstrate compliance with the GDPR, for example by having relevant data protection policies and procedures in place:

  • A company-wide data protection policy paired with staff training, data audits and regular HR policy reviews;
  • A compliance programme and privacy governance structure; and
  • An updated electronic system that protects data by default by e.g. encrypting data.

WHAT IF MY BUSINESS BREACHES THE GDPR?

The ICO has the power to award compensation to individuals and impose fines up to the equivalent of €20m or 4% of the worldwide turnover of the business who has breached the GDPR, although the ICO has indicated that its first resort will normally be one of the other sanctions available to it, such as warnings, reprimands and corrective orders. A business that fails to comply with the GDPR also puts itself at risk of reputational and professional damage and it is important to take the necessary steps to ensure compliance.

For more information call AMD Solicitors and speak to their experienced Commercial team on 0117 9733 989 or by emailing grantmccall@amdsolicitors.com.