New EU General Data Protection Regulation comes into force on 25 May 2018, but few will know what that means in real terms. There are severe penalties for those who do not enforce the strict new rules, so it’s essential you understand the responsibilities the regulation will bring.
Research has shown that even global businesses aren’t ready for the new regulations, with just a third (33%) currently having a plan to comply with GDPR in place.1 However, the sooner you start the journey to becoming GDPR-compliant, the lower the likelihood of receiving a fine, bad publicity or even becoming embroiled in a legal process will be.
The main aim of the GDPR is to enforce and permanently change the way businesses collect, store and use personal data. The key requirements of the regulation include:
- Auditing the current data protection measures you have in place;
- Documenting all the information you hold;
- Ensuring all your data collection procedures are GDPR-compliant.
Although the GDPR is an EU directive, the UK government has confirmed the new rules will be implemented regardless of the form our withdrawal from Europe takes. For that reason, there’s no point delaying your strategy to deal with the new regulations and in fact, you’d be wise to start planning now.
The new regulation applies to all businesses selling to and storing personal information about consumers in Europe. It effectively takes power away from businesses that collect and use data for monetary gain and gives it back to individuals, prospects, customers, contractors and employees.
According to the GDPR, personal data includes information such as names, email addresses, photos, bank details, social networking sites, locations details and computer IP addresses. It gives individuals a number of rights regarding this information, including:
- The right to access data held about them
- The right to be forgotten
- The right to transfer their data from one service to another
- The right to be informed before data is gathered
- The right to have information corrected
- The right to request their data is not used for processing
- The right to object to their data being used
- The right to be notified of a data breach
The GDPR is certainly not just an IT issue – far from it. Instead, it has wide-ranging implications for the whole company, including how marketing and sales activities are handled. The Information Commissioner’s Office has created a checklist that details the steps organisations should take to ensure they are ready for May 20182.
If you are concerned with your ability to cope with the implications or simply don’t have the time to make the changes yourself, now is the time to seek assistance from a third-party such as a security firm or consultancy. You may also need to appoint a data protection officer who is responsible for ongoing GDPR-compliance.
Although businesses will have to keep up with several extra requirements about how they handle and process personal data, GDPR-compliance could also change your business for the better. Small businesses can use GDPR as a stepping stone to best practice around the handling, control and security of information and improve the quality and integrity of the information they hold.
The opinions expressed by third parties are their own and are not necessarily shared by St. James’s Place Wealth Management. This article originally appeared on the KPMG Small Business Accounting website.
1www.economia.icaew.com, January 2018