Coming to a business near you, this 25th May: The General Data Protection Regulation!
As you may know, there is always a big fuss about privacy and the use of personal data in today’s media. In an attempt to strengthen the control of private information and make our daily lives more secure, the EU has developed the General Data Protection Regulation, which comes into effect on the 25th May 2018.
This will affect all EU businesses – now I know what you’re thinking, ‘what about Brexit?’
In May 2018, we will still be a member of the European Union. We could still be a member of the EU for the next year and a half, in fact. So the regulation will still legally apply to UK businesses. Also, the UK government published a Data Protection Bill in September last year, which essentially transfers the GDPR into UK law. But that’s not all – the new regulation’s jurisdiction has expanded to apply to all companies processing personal data of people residing in the EU, regardless of the Company’s location.
The GDPR states personal data as ‘Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person’
So How Do I Store Data?
If you collect customer’s names, addresses, email and telephone number for marketing purposes, you need to be sure of where you store them, and who has access to them.
First and foremost, the majority of you, as our clients, are small businesses. There are reduced regulations regarding business with 250 employees or less, such as the amount of information recorded. However, you must always remember to consult a professional before you alter your practices.
If you have a newsletter you send out, whether to professional clients or the public, you need to be careful of your subscription policy. ‘Opt-in’ boxes cannot be pre-ticked when the customer accesses the website. It’s not counted as valid consent if they conveniently forget to un-tick it, and so this would be a breach of regulation.
If you suspect or know of a Personal Data Breach, you have 72 hours to report it – where feasible. If you are legitimately unable to report the breach with the time limit, be aware that you may need to provide evidence of this when reporting the breach late.
If a business is found to be in breach of the GDPR the penalties are pretty severe – up to 4% of your annual global turnover, or €20 Million, whichever is greater! However, before you panic: fines are only a last resort. It’s more likely that any breaches will be met with a warning notice, and a request to correct your practices.
If you have any questions or concerns about the GDPR, and whether you’re ready for it, please don’t hesitate to contact us at Hello@melrosegroup.co.uk, or read more at this link.