GDPR, or the General Data Protection Regulation, is a landmark update in the data laws applying across the EU to consolidate data laws and recognise how personal data is being used in the modern age.
The regulation creates new rights for individuals who have their personal data collected and enforces greater obligations on those organisations who use data.
GDPR will come into force on May 25, with the UK set to replace the Data Protection Act 1998 with new legislation to enact the regulation in domestic law.
With advance notice of this date businesses need to be carrying out practical steps now to review their data processes.
The risks of non-compliance are severe under GDPR with a maximum fine of €20 million or 4% of the organisation’s global turnover in place for data breaches. Each individual breach will be assessed to determine the appropriate fine with factors such as the nature, gravity, duration and the number of people affected by the breach to be examined.
The first step to prepare for GDPR is to carry out an HR data audit to understand the lifecycle of data through the business, from collection through to deletion.
The audit can then be used to identify gaps where current data protection processes do not meet the new obligations.
It is vital that businesses can identify a lawful basis for data processing under GDPR, e.g. ‘consent’ to process will now have to be freely given, informed and unambiguous.
As well as updating internal processes, internal policies may need refreshing to ensure these have the correct information and rights outlined e.g. data protection policies within the employee handbook are likely to need an update. In some cases, a data protection officer may need to be appointed where large scale data processing takes place, although businesses can voluntarily choose to appoint an individual with responsibility for ensuring compliance.
For further information contact Chris Povey at Peninsula, Tel: 07966 112 115, or email: Chris.Povey@peninsula-uk.com