The New GDPR Regulations, Episode 1
The new GDPR Regulations are applicable to all businesses who process personal data and come into effect on the 25th May 2018. There is quite a bit to consider so please watch this sooner rather than later to ensure you are compliant; the penalties are quite onerous!
Hi, and welcome to another episode of Baranov TV designed to demystify the world of accounts and tax, and to help your business grow.
Now this episode is actually the first in a series of two that’s going to be talking about GDPR, which is the General Data Protection Regulations. They’re actually being implemented from the 25th of May, 2018. Now the rules aren’t finalized as yet, but they’re not going to go away, so what I want to do, in these two episodes, is talk you through the main points of GDPR, and the main considerations.
As I say, the rules haven’t been totally refined as yet, and there is still more information coming out, but they’re not going to go away so they do need to be given import. I have notes today because there is quite a lot, that I want to make sure that I cover off. I hope you’re sitting comfortably!
To start off with, the GDPR regulations relate to the control of personal data and information. And it actually controls what actions or how to deal with data and make sure that it’s safe, how to deal with it and how to respond if any data does go missing, so in terms of a data breach.
There are fines for non-compliance with these regulations, and they are stiff and heavy fines. It’s either a maximum of 20 million Euros, or 4% of global income. Now, realistically for smaller businesses we’re not looking at 20 million Euros, but we don’t know where those fines are going to be pitched.
Also, they’re designed to ensure or minimize the risk of legal action and damage to reputations, and the most important thing any of us business owners have, is our business reputation. So we want to make sure that you are able to protect your reputations and the data that you all hold is kept safely.
We’ve all been aware over the previous years of the data breaches that have happened from Equifax and Yahoo and some of the government information that’s been left on trains and memory sticks and laptops and things. These regulations are designed to protect all of us from those sorts of situations.
Now, the key factors are around personal data, and personal data is denoted as information that relates to an individual that enables them to be identified either directly or indirectly So we must only retain information that’s necessary for the explicit, specified, and legitimate purpose; that legitimate purpose must be made very clear. So, for example, as accountants we don’t need to hold information on someone’s inside leg measurement.
It’s things that you can only keep data that is actually relevant to your purpose, and that must be clear.
That data that you keep must be accurate, and it must be kept current. So you can’t keep out of date information and if somebody lets you know that something’s inaccurate, you must put it right.
You can only keep data as long as is necessary for the purpose it was collected, unless there are specific reasons. For us, we would have specific reasons to retain data because HMRC requires us to be able to keep data for up to six years. So we would be able to keep data beyond if a client left, we would have to keep that data for those six years.
The data must only be retained as long as necessary, and it can only be processed using appropriate security against unauthorized access, damage, loss or destruction. So it’s all around security of the data as well as it’s retention. You must be able to demonstrate compliance with the regulations; so it’s an awful lot of documenting that needs to be done, I’m afraid.
To start off with there are six lawful reasons to hold personal data. There’s a specific area of GDPR, which is article 6.1, and that tells you what those six lawful reasons are. What you need to do is decide under which of those lawful basis you actually are going to keep that data and going to process the personal data. Now you need to make that decision before GDPR comes in on the 25th of May. You need to document that decision as to which basis you’re going to go on.
It could be that actually depending on what sources and what types of personal data you’re keeping, you’re actually going to operate on more than one basis. So it could be one basis for existing customers, it could be another basis for prospect information around personal data. So you do need to give those areas consideration. There are currently six of them, so you need to make the decision which one of those you think is your lawful basis for processing data.
Once you’ve done that you need to consider that consent is a major consideration. All individuals must be given various information around consent and giving their consent to you holding and processing their data. So they must freely give their consent so you can’t any longer use opt-ins, sorry you MUST be using opt-ins. So you can’t any longer have a tick box that is already ticked. You must give the individuals the opportunity to tick that box. And if you’re processing data on them you must give them the opportunity to actually withdraw their consent, so if you’re emailing them, they must have the opportunity to unsubscribe to emails.
They have a right to be forgotten; so individuals can actually request that their personal data be removed or deleted. You must be able to show that is what you’ve done, and that you are actually capable of deleting that information.
Any breaches of data security must be notified to the ICO within 72 hours, so you need to have a process in place to identify that a breach has happened and to actually be able to notify them that that’s taken place.
There are special categories of data which now have separate provisions, such as data around children; genetic, medical or biometric data. Those regulations are more stringent, so if you do hold data around children then that is something specific to make sure that you go and you look at.
I think that’s enough for the first episode, there is way more information on the ICO’s website, which is www.ico.org.uk Do please go and have a read, there’s lots and lots of information on there. It does take some wading through, but they also have checklists and lots of information on there that you can actually be prompted by. The information on there is being updated on a regular basis so do keep it in hand and do keep going back and refreshing and making sure that you’re aware of all the additional granular information that’s still coming out.
GDPR is going to be risky for small businesses because so many of us hold so much data. We do need to make sure that we do make the time between now and May to do what we need to, to make sure that we’re safe and reducing our risks as far as possible.
Finally, please do not the take information that we’ve put in this episode, or in the other episode, as gospel. We’re trying, as I say, the rules are being still refined, but we’re trying to just give you the potted highlights. I know that it’s not something that you’re going to be pleased to hear, but do make sure that you realize from this that this is something you need to give credence to, and ideally go and speak to a solicitor about because your particular business will be unique to you, the way you operate will be unique to you, and it’s a solicitor who will be able to tell you whether your policies are actually in line with GDPR or not.
Do check out episode two, come back to us if you have any specific questions but I would strongly recommend the ICO website and a good solicitor.
If you need any help with that then do get in touch. As ever, give us a call, get in touch, drop us an email if we can help in any way and we will see you very soon.
We send regular updates that keep clients aware of changes and suggestions on a wide range of subjects; if you’d like to receive those too, just add your details below and we’ll do the rest! We promise not to bombard you and you can unsubscribe at any time.