What You Need To Know About GDPR

Posted By on October 2nd, 2019

GDPR stands for General Data Protection Regulation. It came into effect on the 25thMay 2018. It is effectively the law which regulates how businesses must go about protecting the personal data of EU citizens.

Any business that markets goods or services to EU citizens needs to ensure that they comply with the GDPR. 

In the UK the Information Commissioners Office (ICO) is responsible for enforcing data protection regulation.

What are the principles of GDPR?

GDPR sets out 7 basic principles according to the ICO

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

You can find a full guide to the GDPRon the ICO website.

What does this mean for businesses?

Obligations for businesses to implement better data management

GDPR increases the accountability of businesses that hold personal or sensitive data about people. This means businesses are now required to document things such as data protection policies, data protection impact assessments and data processing procedures. It may also require you to have someone responsible for data protection employed within your business. 

If as a business you suffer a data breach (as a result of a cyber-attack, or through accidental loss for example) you must inform the ICO within 72 hours. You also have a responsibility to inform the people affected by the breach that their data has been compromised.

If your company employs more than 250 people you will also need to document:

  • Why you are collecting and processing people’s data 
  • How the information collected is held and how long it is kept for
  • Details of the security measures in place to protect the data

Do refer to the full GDPR regulation for exact details of what your business must have in place to comply.

New rights for people to access their data that businesses hold about them

If you hold a person’s data or information, then you need to be aware of their rights when it comes to accessing their data. Individuals can now submit a Subject Access Request (SAR) for free. This gives your business one month to provide the information that has been asked for. 

A Subject Access Request can allow users to find out what data you hold about them, how you are using that data, who you are sharing it with and where you got their data from.

Increased fines 

GDPR increases the ability of the ICO to fine businesseswho fall foul of the GDPR regulation for whatever reason. Under the previous Data Protection act, fines could reach a maximum of £500,000. Under the GDPR fines imposed can reach much higher levels.

There are two tiers of fine which can be applied depending on the seriousness of the breach

  1. The standard maximum: 2% of the business’s global turnover or 10million Euros (whichever is highest)]
  2. The higher maximum: 4% of the business’s global turnover or 20million Euros (whichever is highest) 

Why staying in line with GDPR is important for your business continuity

GDPR has increased people’s awareness of and put more focus on data protection and their rights. 

Therefore, as a business it is important that you take data protection seriously and put it at the heart of your business. Not only to ensure that you comply with the GDPR. But also, to ensure your business continuity.

Businesses who can demonstrate compliance with GDPR and that they take it seriously may see business advantages as a result. It may mean you are able to win and maintain business contacts for example. 

People want to do business with businesses that they trust. Suffering a data breach or losing customer data can affect the trust that people have in your business. Likewise, media coverage of a data breach can have a detrimental impact. Your business continuity is likely to suffer if you are not able to attract customers. And don’t underestimate the effect that a fine could have on your business. 

As with business continuity, compliance with the GDPR will be an ongoing part of your business’s operation. As you change processes, the data that you collect and how your systems work, you need to ensure that everything is done with GDPR compliance in mind.

At First Recoverywe always encourage our customers to take a long term, proactive approach when it comes to business continuity. This will include ensuring that your business complies with any necessary regulation such as GDPR. If you have any questions about how we can help support your business continuity in the event of a disaster don’t hesitate to get in touch with ustoday.