Today’s blog on the very topical subject of GDPR has kindly been provided by guest blogger, Oliver Tasker, Senior Solicitor within the specialist Employment Law team at Wilkin Chapman LLP.
GDPR – IT HAS ARRIVED BUT ARE YOU READY?
It has been in the news for what seems like an age but Friday 25 May 2018 has finally arrived signalling the start of the General Data Protection Regulation (GDPR) and the new data protection laws in the UK.
You may have been inundated this week with emails from various businesses asking if you would like to opt-in to continue receiving their marketing information and also updating their privacy policies, but marketing is only one element of GDPR.
So what does it mean for your business? Essentially if you process any sort of ‘personal data’ then GDPR will affect you no matter how small or large your business is. Personal data has a wide meaning and if you hold any kind of information where you can identify an individual, from customers’ details to those of employees, then you need to take active measures to ensure you are GDPR compliant. For example:
- Do you employ staff? You process personal data.
- Do you have a website with a contact form? You process personal data.
- Do you have a CCTV system? You will be processing the personal data of the people you record.
Organisations within the EU (and many outside of it) which handle individuals’ personal data will be subject to GDPR and failure to comply could, in extreme cases, lead to fines of €20m or 4% of an organisation’s annual global turnover (whichever is the greater) for data breaches. These figures are often quoted in the press to scare people into action. Essentially you need to understand the potential impact of GDPR on your business including the potential risks and how to secure the ‘personal data’ you process. It is a good opportunity to have a spring clean and audit your data to see what you hold, how you process it and how long you retain it for. For example, do you really need to keep employment records for years after an employee has left?
The Information Commissioner (who will regulate compliance) will expect you to provide data subjects (i.e. the people whose data you hold) with certain information, and to take steps to protect their data. You will therefore need to review your policies and procedures and ensure you have the right processes, documentation and training in place in order to demonstrate compliance with the new regime. For example, do you have updated privacy notice for your staff, data protection policy, data breach incident plan, website privacy notice and cookie policy? An active approach is essential and we have advised businesses across the UK on preparing for GDPR, it’s not too late so take action now.
For further advice and guidance on GDPR or any employment law matter, Oliver can be contacted on (01522) 515987 or by email: oliver.tasker@wilkinchapman.co.uk