GDPR stands for General Data Protection Regulation. It came into effect on the 25thMay 2018. It is effectively the law which regulates how businesses must go about protecting the personal data of EU citizens.
Any business that markets goods or services to EU citizens needs to ensure that they comply with the GDPR.
In the UK the Information Commissioners Office (ICO) is responsible for enforcing data protection regulation.
What are the principles of GDPR?
GDPR sets out 7 basic principles according to the ICO
You can find a full guide to the GDPRon the ICO website.
What does this mean for businesses?
Obligations for businesses to implement better data management
GDPR increases the accountability of businesses that hold personal or sensitive data about people. This means businesses are now required to document things such as data protection policies, data protection impact assessments and data processing procedures. It may also require you to have someone responsible for data protection employed within your business.
If as a business you suffer a data breach (as a result of a cyber-attack, or through accidental loss for example) you must inform the ICO within 72 hours. You also have a responsibility to inform the people affected by the breach that their data has been compromised.
If your company employs more than 250 people you will also need to document:
Do refer to the full GDPR regulation for exact details of what your business must have in place to comply.
New rights for people to access their data that businesses hold about them
If you hold a person’s data or information, then you need to be aware of their rights when it comes to accessing their data. Individuals can now submit a Subject Access Request (SAR) for free. This gives your business one month to provide the information that has been asked for.
A Subject Access Request can allow users to find out what data you hold about them, how you are using that data, who you are sharing it with and where you got their data from.
GDPR increases the ability of the ICO to fine businesseswho fall foul of the GDPR regulation for whatever reason. Under the previous Data Protection act, fines could reach a maximum of £500,000. Under the GDPR fines imposed can reach much higher levels.
There are two tiers of fine which can be applied depending on the seriousness of the breach
Why staying in line with GDPR is important for your business continuity
GDPR has increased people’s awareness of and put more focus on data protection and their rights.
Therefore, as a business it is important that you take data protection seriously and put it at the heart of your business. Not only to ensure that you comply with the GDPR. But also, to ensure your business continuity.
Businesses who can demonstrate compliance with GDPR and that they take it seriously may see business advantages as a result. It may mean you are able to win and maintain business contacts for example.
People want to do business with businesses that they trust. Suffering a data breach or losing customer data can affect the trust that people have in your business. Likewise, media coverage of a data breach can have a detrimental impact. Your business continuity is likely to suffer if you are not able to attract customers. And don’t underestimate the effect that a fine could have on your business.
As with business continuity, compliance with the GDPR will be an ongoing part of your business’s operation. As you change processes, the data that you collect and how your systems work, you need to ensure that everything is done with GDPR compliance in mind.
At First Recoverywe always encourage our customers to take a long term, proactive approach when it comes to business continuity. This will include ensuring that your business complies with any necessary regulation such as GDPR. If you have any questions about how we can help support your business continuity in the event of a disaster don’t hesitate to get in touch with ustoday.