GDPR and what it could mean for you

Do you know how GDPR could affect your business?

An insight into the up and coming General Data Protection Regulations by Mark Bowden of elucidate.

Forget the alarmists predicting GDPR will be the next millennium bug and the swathes of companies using its forthcoming introduction as an easy way to boost their coffers. Essentially, GDPR can be summed up as a responsibility regulation.

Many small to mid-sized companies are fearful of the impending regulations, of the potential costs involved and are worried that they may need to recruit a specialist, potentially risking over insuring themselves…. but I’d like to dispel the myth that GDPR is the beast that its reputation has us believe.

Whether a data subject, processor or controller the simple fact is that human empathy and common sense overlaid with responsibility for data which has been ‘loaned’ (not given) will allow practical compliance with GDPR to a level which is likely to be policed, is ethical and is in easier reach than most sources would suggest.

Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.

Under the regulation, you must inform the ICO in 72 hours if you have a data breach. While a data processor of the data you hold (control) must assist you in finding out about the data breach, it’s the responsibility of the controller to report it. This is relevant whether a company is holding or processing the data themselves or it is with a cloud or datacentre provider. Fines are applicable for both the breach and the potential lack of reporting it. Whilst not all breaches may require reporting it makes sense to ensure this step is included in processes.

The GDPR also places greater emphasis on the documentation that data controllers must keep demonstrating their accountability, which, with some foresight and planning, is one of the easier items to tick off as complete and compliant.

Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data. The suggestion would be that this should be incorporated into your organisations’ revised privacy policy.

Once a level of understanding is reached around the types of data an organisation holds, where it holds that data and what potential issues could arise around this a planning exercise is needed to map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process. At this stage a decision on whether a Data Protection Impact Assessment (DPIA) is required on these areas would be pertinent.

Remaining areas requiring forethought and consideration centre around:

Subject Access Rights – the logistical implications of having to deal with requests more quickly.

Consent – positive opt-in and freely given, specific, informed and unambiguous.

elucidate will work with small to mid-sized organisations to navigate the so-called mysteries surrounding GDPR without costing them a small fortune.
Get in touch to see how we can help. It’s the responsible thing to do.

Visit Elucidate now