The General Data Protection Regulation or GDPR is a new law that will replace the Data Protection Act on the 25th May 2018. It promises to bring much tighter control over the way that companies use personal data, with a real bite if the laws are breached. The maximum penalty is £17million, or 4% of the total global turnover of the company – and if the company is part of a group, then the group’s turnover is considered.
Why is the new law needed ?
Technology has changed very quickly over the past 10 years, with the rise of the internet and cloud technology meaning that data can be distributed very widely, very quickly. There have been many data breaches in recent years – such as TalkTalk, Tesco Bank, Morrisons, Yahoo, Sony and even HMRC. The fines that were previously available to the regulator were relatively small and companies were taking liberties with individuals’ personal data.
How will GDPR affect me ?
There’s a lot to do if you handle personal data in any way. Maybe it’s your internal staff details or your CRM system that holds all your customer data – you need to consider it all. IT’s not possible to outsource the issue either – you have ultimate accountability, although you can hire a specialist to help you. GDPR means that you may have to change the way that you use data, and not just make sure that it’s help securely. Do you have a mailing list ? You will need to ensure that everyone has opted in to the list, and not use a list that has been provided to you.
What information does GDPR apply to ?
GDPR applies to all information that can be used to identify a person. This means that the retention of something like an IP address which can be used to identify a person on the internet could be classified as personal data. As for the Data Protection Act, manual paper based records are also covered.
What should I do ?
You need to start planning. You need to understand how the new law will affect you and you will need to change the way that you work to ensure that you are compliant.