Regardless of what happens with Brexit, the GDPR will definitely be implementing end of May 2018. The ICO has recruited 200 additional staff to focus on GDPR compliance tasks. Fines will go up to 20 million euros or up to 4% of the annual turnover if businesses don’t comply. This means non-compliance is simply not an option whether you are an SME or a multinational.
The “right to be forgotten” is definitely not as simple as it reads and the recruitment industry will very much be an obvious target for inspection.
We recently attended a few seminars focused around GDPR and here is what we learned:
- Individuals will gain a new right to know how their data is used, why it is used and if it has been shared with third parties.
- Individuals will have the “right to be forgotten” therefore require their details to be permanently deleted (ie. not just deleted from your CRM).
- GDPR will require businesses to demonstrate how they are compliant and what steps they have taken to make sure that they will be compliant in the future.
- We were advised to use pseudonymisation and anonymisation for each individual which basically means processing data in an anonymous way so that the identity of the individual cannot be found without additional information that is held separately.
- If your business has more than 250 employees you will be required to appoint a Data Controller (before May 2018) who will keep additional and more detailed reports of your data processing.
- If your business has less than 250 employees you will still need to keep detailed records of the data to demonstrate accountability if the data activities relate to higher risk processing such as “processing personal data that could result in a risk to the rights and freedoms of individual; or processing of special categories of data or criminal convictions and offences.”
- A data breach will sadly most likely happen at some point. It can be an employee who has left his/her screen on whilst taking a break; a lost laptop/mobile phone on a train; accidentally sending an email with personal data to the wrong person, etc.
- Once a data breach has happened there will be strict timelines to report that breach. Indeed, “A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it.”
This new legislation will affect every organisation so make sure you implement a reliable and compliant system in place as soon as possible. There are a few GDPR compliance softwares on the market for small businesses as well as consultancies and organisations who specialise in GDPR regulations. Don’t leave it too late and don’t forget that the GDPR can actually be beneficial to your business, make you stand out from competitors and get you to focus even more on your customers.