Torfaen Business Voice August 2017 Newsletter
Torfaen Business Voice August 2017 Newsletter
Torfaen Business Voice August 2017 Newsletter
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
New data protection laws for<br />
businesses<br />
No matter what stage of development your business is at -<br />
whether start up, expanding or comfortably ticking along - you<br />
can be sure that you will be handling information about your<br />
customers and partners.<br />
So what's this all about?<br />
The new legislation, known formally as the General Data<br />
Protection Regulations (GDPR), revokes a previous EU directive<br />
and the Data Protection Act 1998 and it comes into force<br />
fully on 25th May 2018.<br />
The GDPR sets out the rules for the processing of a person's<br />
data with a view to protecting their rights and freedoms, as well<br />
as setting the requirements for the movement of this data. The<br />
GDPR is overseen by the Information Commissioner's Office<br />
(ICO).<br />
So what are the rules?<br />
In summary, there are six principles of the GDPR. These<br />
are that personal data must be:<br />
1.<br />
2.<br />
3.<br />
4.<br />
5.<br />
6.<br />
Processed lawfully, fairly and in a transparent manner<br />
Collected for specified, explicit and legitimate purposes<br />
Adequate, relevant and limited to what is necessary for<br />
the purpose of processing<br />
Accurate and up to date<br />
Not kept for longer than necessary<br />
Securely kept<br />
Why does this matter?<br />
Whilst this might not seem like a big deal, these changes in the<br />
legislation that govern how businesses look after that data<br />
mean that the implications of getting it wrong are serious: you<br />
could be fined up to 4% of your turnover which could be disastrous.<br />
In addition, individuals affected by a breach of the GDPR will<br />
be able to claim damages for hurt as well as material damages.<br />
So in effect, if someone lost £1,000 due to fraud caused by<br />
your breach of the GDPR you could be fined by the ICO; made<br />
to repay the fraudulent amount (the material damage in this<br />
example) and then have a civil case taken out against you for<br />
additional damages.<br />
What do I need to do about it?<br />
There's information on the ICO website here https://ico.org.uk/-<br />
for-organisations/business/ that will help you to prepare for the<br />
change in legislation but they've also produced a paper<br />
suggesting that all organisations follow 12 steps to be ready for<br />
the new regulation.<br />
Awareness: key people in your business need to be aware<br />
of the new law.<br />
Information you hold: you'll need to clearly document your<br />
use of personal data.<br />
Communication: you'll need to update privacy notices on<br />
your contractual documents to take account of the GDPR.<br />
Individual rights: you'll need to ensure that your procedures<br />
cover all individuals' rights.<br />
Subject Access Requests: as individuals have the right to<br />
see the information you hold on them, you'll need to ensure<br />
you have a GDPR compliant way of retrieving and sharing<br />
the information for free.<br />
Legal basis: you'll need to ensure you document the legal<br />
basis on which you're processing the data.<br />
Consent: you'll need your customers to be very clear why<br />
they're giving you the information. This has to be by way of<br />
positive opt-in.<br />
Children: the GDPR is very specific about the treatment of<br />
children's data (anyone under the age of 13 in their world) so<br />
if your business deals with this data make sure you follow<br />
this closely.<br />
Data breaches: you need to have clear procedures for<br />
detecting, reporting and investigating breaches to help you<br />
avoid the fines outlined above.<br />
Data protection by design: if you introduce a new product<br />
or service think about how it'll impact on individuals' data and<br />
get it right from the start!<br />
Data Protection Officer: every business needs a<br />
designated officer. If you're a sole trader, it's you.<br />
International: if your business exports data (and if you're<br />
exporting a product or service, you likely will be) you'll need<br />
to make sure your processes and procedures cover this.<br />
All of this could be very costly but thankfully relatively easily<br />
avoided. The ICO has published guidance to help you prepare<br />
for the new legislation. And there is still time!<br />
If you want to know more, check out the ICO website.<br />
https://ico.org.uk/for-organisations/business/<br />
TORFAEN BUSINESS VOICE | AUGUST <strong>2017</strong> NEWSLETTER 5