The General Data Protection Regulation, also known as the GDPR, has been hitting the headlines recently due to significant fines and penalties that will be levied for breach of its provisions. Kate Colleary, co-founder and director, Frontier Privacy explains what this means and outlines how your business can prepare.
The GDPR aims to make businesses more accountable for data privacy compliance and offers citizens extra rights and more control over their personal data. Preparation for the GDPR must be prioritised at board level for all organisations as it will have significant impact on all businesses. Not only must organisations comply with the GDPR, they also must be able to demonstrate compliance.
GDPR will take effect on May 25th 2018. With less than a year to go, it is crucial to start preparing for it now, so you can demonstrate compliance. We recommend that each business does the following as soon as possible:
Breaches of the GDPR can attract fines of €20 million, or up to 4% of group annual global turnover. There are also potential criminal consequences for breaches. So, it is important to get started on compliance now, as it will take time. Do not put it off!
The GDPR provides the following rights for individuals:
Businesses must process data fairly. That means that you must be transparent about what you are doing with data. You must also have a legal basis for the collection of data, in some cases it may be that you have to collect credit card details to fulfil a contract, in others you may rely on people consenting to your marketing activity.
According to Article 32 of GDPR, consent should be “freely given, specific, informed, and unambiguous… by written statement”. One way of demonstrating consent is to invite the customer to
tick an opt-in box confirming that they wish to receive marketing messages via specific channels (such as post, email, live phone call, etc.). It can also be done by clicking an icon, sending an email, subscribing to a service or providing oral confirmation. Silence, pre-ticking boxes or inactivity will not constitute consent.
Some businesses will have to appoint a DPO, in circumstances where the business activity involves regular and systematic monitoring of data subjects on a large scale or where the business processes special categories of data, such as health data. The data protection officer does not have to be a lawyer but must have expert knowledge of data protection law and practices. The main tasks of the DPO are the independent supervision of an organisation’s compliance with the GDPR, as well as advising and overseeing staff dealing with personal data.
Colleary & Co law firm, and its sister consulting practice, Frontier Privacy, helps clients comply with data protection requirements. From initial compliance assessments, to drafting policies and training staff, we can help. Contact: Katecolleary@collearyandco.com
This Business Support article featured in the September/October 2017 edition of The Hardware Journal.