On 25th May 2018 the Data Protection Act 1998 (DPA) will be replaced by the General Data Protection Regulation (GDPR). This is in response to the increasing reliance on the internet to store personal data which in turn, opens up a growing threat of cyber-crime to more and more businesses. As such, the introduction of the GDPR will directly affect us all but more notably all those businesses that hold/use data will have to actively assess the implications of the new rules to ensure compliance.
A good starting point is the guide to the GDPR on the Information Commissioners Office’s (ICO) website, including a useful 12 step process businesses should use to make sure they are compliant. For any further queries small businesses can call 0303 123 1113 to access the ICO’s dedicated telephone service.
The GDPR aims to create a proactive approach within businesses to manage their data better through understanding how and why data is used and stored, which will subsequently help prevent data breaches. To begin with businesses should look at how data is gathered and then follow its path through the business until the point at which is it destroyed. This will highlight to the business where the data it holds is vulnerable to any sort of data breach. The importance of proactively managing the data process is highlighted by the vast increase in fines up to 20 Million Euros or 4% of global turnover, which can be given for not just data breaches but for failure to comply with the GDPR.
Other major changes include the requirement for a positive indication to be made by a client/customer to store and use data (e.g. to be included within marketing lists) and the right for a client/customer to request for all their personal data held by a business to be permanently erased. All the changes mean there is not a general approach which can be taken by businesses as each business will gather, store, use and delete data differently. As every aspect of the data journey within a business can now be scrutinised, and unlike with the DPA, everyone within an organisation who comes into contact with data will need to show they are complying with the GDPR.
In summary, businesses need to make a comprehensive assessment of the journey data takes within their setup to ensure all its members who touch data comply with the GDPR.