GDPR is coming
The General Data Protection Regulation, or GDPR, replaces the current Data Protection Act (1998) and comes into force on 25th May 2018. Regulated by the ICO, the GDPR strengthens the rules around personal data and requires organisations to be more accountable and transparent. It also gives people greater control over their own personal data.
Designed to help safeguard data protection rights for individuals, the GDPR introduces a single set of rules across the EU when it comes to how organisations handle data relating to identifiable individuals. That means if your business holds personal information such as names, addresses, staff records, customer lists and even online identifiers (such as a computer’s IP address), you could be subject to certain requirements of the GDPR.
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA). If you are complying properly with the current law, most of your approach to compliance will remain valid under the GDPR and can be the starting point to build on. However, there are new elements and significant enhancements, so you may have to make changes and do new things.
The GDPR toughens up penalties already existing under the DPA which include:
- Fines up to £500,000
- Prosecutions, including prison sentences for deliberate breaches
- Obligatory undertakings, where your company has to commit to specific action
When the GDPR begins in May, these penalties will get heavier:
- Businesses in breach will see a dramatic increase in fines. Penalties can reach an upper limit of €20 million (or four per cent of annual global turnover if that is higher).
As well as regulatory fines for non-compliant businesses, bear in mind the possibility that individuals might also sue you if they suffer as a result of how you handle their data.
The GDPR’s implementation on 25th May happens before the date of the UK’s withdrawal from the EU, so all businesses will definitely need to be compliant with the GDPR. Although the UK’s data protection status after Brexit is still unknown, the government has suggested that it intends to implement equivalent GDPR rules post Brexit (see the Data Protection Bill announced in the 2017 Queen’s Speech) to make sure frictionless movement of data between the UK and the EEA continues.
The Information Commissioner’s Office (ICO) website has a vast range of tools to help small businesses, including a self-assessment toolkit created with small organisations in mind. You can use the checklists to assess your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure. Click here to view the ICO self-assessment toolkit. Further useful links are outlined below.
Some of the official documentation is still being developed – for instance, detailed interpretation of the rules for establishing consent from individuals. The ICO expects the Article 29 Working Party to finalise their guidelines by the middle of April.
Many resources are available to support small businesses. Here are some links you may find useful:
The ICO also has a helpline specifically for GDPR enquiries. Call the helpline on 0303 123 1113 (local rate – calls to this number cost the same as calls to 01 or 02 numbers). If calling from outside the UK, you may not be able to use the 03 number, so please call +44 1625 545 700. Their normal opening hours are 9 to 5 Monday to Friday.
HETAS has been registered with the ICO as a Data Controller since 2016. HETAS will be reviewing the terms and conditions we apply to our registration schemes, to reflect the GDPR, and will publish any changes through our website.
You can contact the HETAS team on 01684 278170 or click here to email.