The General Data Protection Regulation (GDPR) starts on 25th May 2018. Businesses will have to comply with the GDPR requirements, or face the possibility of a fine; up to £20 million pounds or 4% of annual global turnover.
The regulation gives more rights to individuals, about the way their personal information is used and increases obligations of businesses, to ensure that any personal data they collect has been obtained with agreement from the individual. Some of the current obligations already exist, under the Data Protection Act.
Here is a basic check list for businesses regarding GDPR:
- Ensure that they have a lawful basis for collecting and using personal information; such as consent from the individual concerned or a contractual agreement.
- Provide more information about the collection and processing of personal information upfront and in a more transparent and easily accessible way.
- Maintain records about all the personal information they hold and how it is collected, stored and used.
- Appoint a Data Protection Officer within the business or a virtual Data Protection Officer.
- Respond to requests for rectification within one month or three months for more complex requests.
- Inform third parties who have received personal data where the data in question needs to be restricted or erased.
- Immediately stop using personal information for direct marketing where a request for this has been made.
- Comply with stricter requirements where personal information is held about children.
If you would like any advice or guidance on GDPR for your business, visit The Information Commissioner’s Office (ICO); you can visit their website here.