The increase in online availability has changed a lot for how we receive personal data.
An individual just visiting your website can give you a lot of information. And your responsible for keeping that data safe.
The EU overhauled previous data protection rules with General Data Protection Regulation (GDPR). You must comply with GDPR when handling personal information. Failure to do so can lead to significant fines for your business.
In this guide we’ll explain what GDPR covers, who it applies to, and how to ensure your business complies with the rules.
What is GDPR?
GDPR stands for the General Data Protection Regulation. This is the privacy law drafted and passed by the European Union (EU).
The regulations seek to protect those subject to data processing, and ensure they have rights over how and why their data is used.
There’s no specific GDPR act in the UK, but this regulation led to the introduction of the Data Protection Act 2018.
When did GDPR come into force?
GDPR regulations came into force on 25 May 2018.
Despite being based on EU law, the UK continues to follow GDPR, Brexit or not.
What are the seven principles of GDPR?
These principles are said to lie at the heart of the data protection regime:
- Lawfulness, fairness, and transparency.
- Purpose limitation.
- Data minimisation.
- Storage limitation.
- Integrity and confidentiality (security).
There are also several rights enshrined within the GDPR regulations. These include:
- GDPR consent: This must be clear and specific, giving individuals real choice and control. Evidence should be kept of this, and it should be easy for consent to be withdrawn at any time.
- GDPR right to be forgotten: Formally, this is the right of ‘erasure’, and allows for an individual to have their personal data erased, in certain circumstances (it will not apply where the data is held in compliance with a legal obligation, or for the purpose of establishing or defending a legal claim, amongst other reasons).
Who does GDPR apply to?
The GDPR principles apply to those who process and store personal data relating to individuals. Therefore, it’s likely many organisations will fall within the rules.
For you do fall within the scope of GDPR, you must do one of two things. Either appoint a specific GPDR data controller or be jointly responsible for compliance with GDPR data protection rules.
You’ll also have to decide the purpose for which the data is gathered, and what specific data is needed.
For GDPR compliance, you must have documents and processes that show you’re following the rules and ensure data protection. Therefore, it’s very important that organisations implement a GDPR policy, and conduct GDPR training for all their staff.
Your GDPR policy sets out how your organisation uses personal data, and how it’s protected.
Your policy should include:
- Appropriate contact details.
- The reason data is being processed.
- Who data may be transferred to.
- Which countries data may be transferred to.
- If cookies and other tracking technologies are used.
- How long data will be stored.
- What rights users have under the GDPR.
- How users can act on those rights.
What happens if an employee breaches GDPR?
The Information Commissioner’s Office (ICO) must be informed of any GDPR breaches—unless you can show it’s unlikely to result in a high risk to rights and freedoms.
Failure to notice the ICO of a breach can result in GDPR fines of up to £8.7 million, or 2% of global turnover.
If there’s a high risk to an individual’s rights and freedoms, then the individual will also have to be told. This notification must be within 72 hours of the breach.
Read our guide on employee breaches to learn how to avoid data breaches.
Expert support on GDPR with Peninsula
With data being gathered from many sources, it can be difficult to keep track of, and manage the information you hold. But failing to do so can be disastrous to your business.
With Peninsula, we can clarify what steps you need to take to ensure legal compliance. And our expert team can draft policies to ensure all your staff know the correct procedure.
Not a client yet? You can still enjoy a free advice call from one of our business experts. Simply call us on 0800 028 2420.