May 2018 is a big month, the two bank holidays and hopefully, some sunshine to go with them, a Royal Wedding and most importantly for all businesses, the new General Data Protection Regulations (GDPR) come into force on 25th May, just one month away now.
What is GDPR
GDPR is a piece of European legislation, but it will be adopted into UK Law once we leave the EU, and it applies to everyone, no matter how big or small your business, and there are no exemptions.
Under GDPR there are greater fines, up to an eye-watering €20 million, or 4% of turnover (whichever is the higher) and individuals can claim compensation for financial loss and for distress. Whilst GDPR comes into effect immediately for everyone, it is hoped that the Information Commissioner’s Office (ICO) will encourage organisations to address issues, rather than immediately reaching for the handcuffs! But it is likely that they will be tougher on those who have done nothing!
GDPR has been designed to address the modern world of data and how we use it. It affects all areas of your business that process personal data, so that’s your customers, suppliers, website users and your employees, contractors, consultants and temporary workers too.
With much bad press of late about data misuse in businesses such as Cambridge Analytica, Morrisons supermarkets and Yahoo, getting it right is critical as apart from the fines, reputational damage to your business can be a very real hazard.
Here’s what you need to do
So, if you haven’t already got everything ship shape, or are not confident that what you have is correct, here’s a quick list of what you need to do in the next month to be ready:
1. Start with an audit of your data – what do you hold? How do you get it? Why do you hold it and for how long? How do you hold it? What procedures do you have to monitor data? How do you get rid of it and who is responsible and looks after everything?
2. Become familiar with the new GDPR rules, be informed, assess your risk and exposure so you can do something about it.
3. Consider how you can show you are compliant with GDPR, such as:
- Check your employment contract clauses are up to date
- Be very clear as to why you are processing the data
- Check that you have ‘distinguishable’ consent to process personal and sensitive personal data, consent can no longer be buried in a contract, it must be freely given, specific, informed and unambiguous.
- Check your customer agreements and any electronic advice and agreements on your website and email, etc.
- Check your policies are up to date – data protection, social media, IT, communications, etc. Not forgetting disciplinary and grievance policies too.
- Check that you have a process for dealing with data access and sharing requests and complaints.
- Train and educate your staff and business owners, managers, etc., create a culture where everyone is aware and knows what to do
- Make sure your IT and other systems and processes ensure data security and privacy
- Make sure you are only processing personal data within the GDPR rules
- Designate responsibility and accountability for ongoing data protection compliance.
There is much more to GDPR than this simple list. If you need help, advice or assistance, or simply a health check, please do get in touch. We have experts who can get it right for you, so there are no unexpected trip wires to fall over!!
About Nicky Machin, Puffin HR Ltd…
With 25 years management experience, a Master’s degree in employment law and a fellowship from the CIPD, Nicky is proud to deliver excellence and expertise in the employment and management of people. Her extensive experience is enhanced by her approachability, clarity, cultural awareness and hands on delivery of ‘do how’ as well as ‘know how’.