GDPR is coming, and if you process personal data, it will affect you regardless of the size of your business . This means that there are a number of areas that you need to have checked and documented before the 25th May 2018.
So what is the GDPR? It’s pretty hard to avoid news articles and comment about the GDPR at the moment, but what actually is it, and why should you care?
The EU General Data Protection Regulation (GDPR) was approved by the European Union Parliament on the 14th April 2016 and will come into enforcement on the 25th May 2018. This sets out new rules on how organisations must deal with personal data, communicate with individuals and strengthens rules around consent. The GDPR sets out the punishments for breaches and these will be significant, with the upper level set at the higher of £20million or 4% of worldwide revenue.
The GDPR sets out six clear principles for data protection and places a requirement on any data controller to be able to demonstrate their compliance with these.
GDPR requires that personal data is:-
- Processed lawfully, transparently and fairly
- Collected and processed for specified, explicit and legitimate purposes
- Adequate, relevant, and most importantly limited to the purpose for which it is processed
- Accurate and kept up to date
- Only stored for as long as is necessary for the purpose
- Is protected by the appropriate levels of security and confidentiality to prevent unauthorised or unlawful processing using appropriate technical measures
To ensure compliance your business must have documented policies, processes and procedures in place that are fully understood and followed by your staff at all times. You need to have a valid lawful basis for data processing and this also needs to be fully documented and referenced within your Privacy Notice. This can seem an onerous process for many small and medium businesses, but as shown above, the penalties for non-compliance are significant.
GDPR introduces a requirement of “Data Protection by Design and by Default”, this means that you must be confident that all personal data that you currently hold will comply with the six core principles. Security of IT systems is obviously a key consideration for organisations of all sizes.
Carbon Cloud are helping small and medium businesses to understand the impact of GDPR, to audit and review their current processes and IT systems to identify risks. We can help you to find any areas of risk and can advise on the most appropriate way of protecting any data that you are holding.
We understand that personal data has an important role to play in your business, and we can help you to ensure compliance with GDPR, protect your brand reputation and help you to run an efficient and secure business.
Get in touch now to find out how GDPR may affect you, and how Carbon Cloud can help.