The General Data Protection Regulation (GDPR) is due to come into effect in May 2018. It’s an EU initiative, but it’s not safe to assume that the provisions will be abandoned because of Brexit. The UK government may decide to adopt the measures, and in any case the Brexit path is not entirely clear currently.
Basically, the GDPR says that any business that processes or stores EU citizens’ data must comply with a set of new regulations concerning data protection and privacy.
How Can You Make Sure Your Business Is Ready?
Firstly, make sure that the people who need to know about the new regulations are fully up to speed with what they involve. Next, prepare a document that lists all the personal data you hold about customers, employees and others. At the moment, when you take personal data from people, you give them a notice which explains what you’re collecting and why. You need to review this notice and make sure it complies with the new regulations.
People will need to consent to having their data collected, so make sure that you can prove that this happened.
Under the GDPR people have certain rights over their data. For example, they can ask for it to be deleted. So you need to be sure that you’re able to comply with all requests. There are time limits for doing this, so check your workflows to ensure that you can meet the the deadline.
Extra Protection for Children
Be aware that children will be given extra protection under the new regulations, particularly in relation to social media. You need to find out how old your customers or users are and ask for parental consent if necessary.
This is unlikely to apply in some businesses. It would be a canny five-year-old who tried to open an account with rackzone rivet shelving stockists, no matter how many Lego models they had or what their interest in rivet shelving was. But for some businesses, this will be a very real concern.
Appoint someone to take responsibility for data protection – that way you’ll almost certainly be less likely to have a breach to report. And remember that you need to carry out Privacy Impact Assessments – you can get guidance on this from the Information Commissioner’s Office.