The new GDPR is a Data Protection framework that affords greater scope, much tougher punishments and judicial remedy for those who those who fail to comply with new rules regarding the storage and handling of personal data, be it in physical or electronic format.
In this edition of My Planet Liverpool, Vicki Harper, Client Services Director at BWM, introduces a special client *Guide produced by the company to help existing and new clients understand the new General Data Protection Regulations that come into force on 25th May 2018.
*Please note that this article and the full guide is intended to highlight some of the issues and is not to give exhaustive coverage of this topic. Professional advice should always be taken before action is either taken or refrained from.
WHY ARE THESE NEW LAWS BEING INTRODUCED?
Since the original Data Protection Act was introduced in 1998, technology and the internet have developed so quickly that the current rules are today deemed ineffective. The ease and sophistication of data collection means that thousands of SMEs not only collect personal details but store, move and access them online and this has helped to bring about an increase in cybercriminals, with more than £1billion being lost by UK companies alone in 2016 to cybercrime. Major data breaches have given criminals access to names, birthdates and addresses, along with social security and pension information. A recent Federation of Small Businesses (FSB) report claims that SMEs are now more likely to be targeted by cybercriminals than larger companies as SMEs are considered softer targets!
The introduction of the new GDPR is considered a real necessity for the protection of data in our modern, internet-based society. It also gives the opportunity to take a fresh look at your data security, as data breaches may impact on your business and its reputation.
WHAT ARE THE KEY CHANGES FOR SMEs?
Any company that processes personal data will need to comply with the new obligations. That means firstly understanding the changes to the existing processes under the new rules.
DO YOU HAVE EXPLICIT CONSENT FROM INDIVIDUALS FOR THE DATA YOU HOLD ABOUT THEM?
Under the new GDPR rules the requirements have been tightened significantly. Businesses MUST keep a detailed record of how and when an individual gives their consent to store and use their personal data. This means a positive agreement and CANNOT be inferred from a pre-ticked box.
ARE YOU A DATA PROCESSOR OR DATA CONTROLLER RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA?
Under the GDPR, data processors will have a greater legal liability and are required to maintain records of personal data and processing activities. There are also further obligations on controllers to ensure that any third-party contractors also comply with the GDPR e.g. cloud hosting or outsourcing.
DO YOU HAVE A DATA PROTECTION PROGRAMME AND ARE YOU ABLE TO PROVIDE EVIDENCE OF HOW YOU WILL COMPLY WITH THE REQUIREMENTS OF THE GDPR?
Organisational and technical measures to protect personal data are now the responsibility of the data controller and data processor – data protection and privacy requirements should be built into the development of your business processes and systems. Data should be kept secure and this will require a review of current practices in order to prevent data breaches.
MANDATORY BREACH NOTIFICATION
WOULD YOU BE ABLE TO NOTIFY A DATA PROTECTION SUPERVISORY AUTHORITY OF A DATA BREACH WITHIN 72 HOURS?
You will need internal processes that allow you to report and manage communications quickly and accurately with those consumers affected by any breach.
DO YOU KNOW HOW YOU WILL COMPLY WITH THE NEW RIGHTS; THE RIGHT TO BE FORGOTTEN, THE RIGHT TO DATA PORTABILITY AND THE RIGHT TO OBJECT TO DATA PROFILING?
You will need processes in place to comply and reassure that these rights have been adhered to (including notifying third-parties). Customers or individuals have the right to withdraw consent. Details must be permanently erased.
DATA PROTECTION OFFICERS
DO YOU CONDUCT LARGE SCALE SYSTEMATIC MONITORING (INCLUDING EMPLOYEE DATA) OR PROCESS LARGE AMOUNTS OF SENSITIVE PERSONAL DATA?
Where large scale processing of data is evident a dedicated Data Protection Officer needs to be appointed.
HOW CAN BWM HELP?
If you require further help with your planning for GDPR please contact BWM. If required the company can introduce you to an expert in this area who can perform an information audit and work with you towards GDPR compliance.
GDPR PLANNING CHECKLIST
The following checklist will help you to prepare for the GDPR by documenting existing procedures, looking for areas to strengthen. This checklist should not be relied upon as comprehensive guidance but as a reminder of some of the key points of GDPR and users should refer to the Information Commissioner’s Office for more detailed guidance.
Please visit: www.ico.org.uk
1: Review all data held and ask “why is it held?” and “do you still need it? And “is it safe?” Make sure you note the different sorts of data you hold e.g. employees, customers, suppliers, third parties;
2: Look at your consent procedures as well as privacy notices on your website and terms of business. Do you get customers to positively agree to you holding their data?
3: Document the reasons you hold data e.g. consent, legitimate interest or a legal obligation to collect and process data;
4: Plan how you will handle data requests and the right to be forgotten from individuals within new timescales;
5: Look at your processes to keep data safe, identify any problem areas (e.g. data held on mobile devices) and decide how you can reduce the risk of data breaches (e.g. encryption). This will mean also looking at your back-up security of data, computer and passwords and identifying new technology to help you comply with the GDPR;
6: Document the procedures you have in place to detect, report and investigate data breaches and let EVERYONE in your business know about your new data protection policy;
7: Consider who in your business will be the person responsible for the GDPR and making sure ALL employees are aware of the new regulations and ensuring compliance.
You will need to use your judgement to confirm that you have proportionate governance measures if you complete the planning yourself or you may choose to an external consultant. Document the actions you are planning to take and note the changes.
For more information please contact:
Vicki Harper, Client Services Director
6th Floor • Castle Chambers • 43 Castle Street • Liverpool L2 9SH
t: 0151 236 1494 f: 0151 236 1095 • e: firstname.lastname@example.org • www.bwm.co.uk
BWM are a leading, independent chartered accountancy practice in Liverpool with a heritage that can be traced back to 1926. The firm provides a wide range of accountancy and business support services to organisations and individuals across the North West; and their client base ranges from individuals and families to large companies and charities.