Are you ready for the GDPR?
Data Protection is this month’s hot topic and a must for most businesses that hold personal information on, or for their clients in this age of ecommerce, shared business information and digital communication.
The data Protection Act 1988 https://www.gov.uk/data-protection requires every organisation that processes personal information to register with the Information Commissioner's Office (ICO), unless exempt whether you are the ‘controller’ or ‘processor’ of the Data. Failure to do this is a criminal offence. So if you hold or use data for your clients this is essential. If you think you should be registered and aren’t follow this link to the ICO https://ico.org.uk/for-organisations/register/
As of the 25th of May 2018 the law will be changing and a new regulation General Data Protection Regulation (GDPR) will be put in place to unify data protection in Europe. Guide can be found on the ICO website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
The main principles will be as follows and could make it very difficult for small business to adhere to:
- You will need documentation to prove compliance with the GDPR i.e. proof of security and consent to hold their data.
- Appoint a member of your business as a Data Protection Officer.
- You will need to prove a legal basis to hold any personal data.
- You will need to ensure all data is protected i.e. passwords for digital files and locked cabinets for paper documentation.
- All records must be up-to-date.
- Proven consent for all records must be held.
The most difficult aspect to the GDPR will be customer and prospect consent. Each must give consent for you to use their details to contact them, so by the 25th of May 2018 all customers and prospects need to have given you written consent (for documentation purposes) in order for you to hold their information. This will mean either deleting/destroying all client and prospect data and starting from scratch or emailing/mailing each individual with a link of some description for their consent. As a business we hold email, phone and address records as an integral part of communication with our clients and all this information can usually be found on their websites as part of the public domain, so does this mean consent? It seems like opt-in boxes will be required on all website communications to gain consent to reply.
This Blog only scratches the surface of Data Protection Disclosure and when visiting the ICO website it is constantly being updated, a living document so to speak, so how do we make sure as a business we are legally doing our duty? It seems at this stage in the game the best thing to do is to adhere to what rules are possible as full compliance almost seems impossible.
For more guidance please visit the Information Commissioner's Office at https://.ico.org.uk