Skip to main content

Is your business ready for the GDPR?

Business

A new set of data protection guidelines is coming into play on 25th May 2018. If your business handles personal data in any way, you'll need to be ready for this implementation.

What is the GDPR?

The GDPR stands for the General Data Protection Regulation, and it's a privacy ruling for companies that are doing business in Europe. Although our departure from the EU is looming, we should assume that British businesses will still have to adhere to the GDPR after we leave (the regulations will probably be copied into British law for sake of ease). 

Under the GDPR, your business is required to protect the personal data of both customers and employees. It applies to Business-to-Consumer (B2C) and Business-to-Business (B2B) organisations - in fact any organisation which stores or processes data of EU citizens. Your business does not need to be based in the EU for these regulations to apply. 

What constitutes 'personal data'?

Personal data includes, but is not limited to an individual's:

  • Name
  • Email address
  • Home address (or any other associated addresses) 
  • Banking details, including card details
  • Driving Licence (and associated numbers)
  • Passport (and associated numbers)
  • National Insurance Number
  • Online names or personal identifiers
  • Medical records (including genetic and bio metric data)

The data does not have to be 'sensitive'; if the data your business is collecting, processing or storing is personal, then your business will need to apply the regulations outlined by the GDPR. Whether its customers, other businesses or staff, this privacy ruling applies.

What could happen if my business doesn't comply?

Your business could be fined up to 20M Euros, or 4% of your global annual turnover. But you should be more worried about the potential loss of reputation with your customers and employees.

So how can I prepare my business?

There are plenty of guides out there to help with more specific GDPR enquiries (you can even ask an advisor from the ICO to visit your business and help you in person) but here are the general steps that all businesses need to take.

1. Get GDPR aware
Make sure that management and any relevant individuals within your business know about this change to data protection law. They should understand the impact this will have on your business.

2. Start documenting
You should start making a record of what data you hold, where it comes from and where it goes to. That means everyone you share personal data with, including internal and external individuals, other businesses and applications.

3. Check your privacy notices
Review all of your current privacy notices, and plan any additions and amendments based on the GDPR.  These privacy notices will be internal, such as employee contracts, and external, such as business proposals for customers. Find out more about the requirements for this here.

4. Know your (and their) rights
With the introduction of the GDPR there's a ton of rights for individuals that your business will have to abide by. Make sure you know them, and plan how you will meet them (e.g. the right to erasure, where personal data must be deleted on request).

5. Subject access requests
The way you will be required to process people requesting access to their data will change. For example, under the GDPR your business will be restricted from charging for the majority of access requests, and you must respond to requests in a shorter amount of time.

6. Identify why you're collecting data
This might be an obvious one, but you have to be able to clearly identify the lawful basis for your collection, sharing and storing of personal data. This must be updated in your privacy notices so it's explained internally and externally.

7. Check for consent
The ICO states that, 'Consent must be freely given, specific, informed and unambiguous.' This means that when you request personal data, you'll be required to ask individuals to opt in, rather than out. There are a few requirements for consent, check them out here.

8. What about children's data?
One of the big changes brought in by the GDPR is that additional requirements will have to be met for the personal data of anyone under 16. You will have to use age verification where necessary, and get consent for children from a designated parent or carer.

9. Data breaches
Make sure you have systems in place to detect, notify and investigate data breaches. Under the GDPR you'll be expected to let individuals know that their privacy has been compromised in no more than 72 hours after you've become aware of it - if it affects individuals' rights and freedoms. 

10. Data Protection By Design
The GDPR is introducing, 'privacy by design' a legal requirement for businesses, under the term ‘data protection by design and by default’. That means that ‘Data Protection Impact Assessments’ (DPIAs) will sometimes be mandatory - so you'll have to think about privacy impacts of decisions at the beginning of projects.

11. Pick a Data Protection Officer
You'll need to have a designated Data Protection Officer within your business, which you might have to formally identify if your business meets certain requirements. This should be the person ensuring GDPR compliance throughout your organisation.

12. Going international?
If you do business in more than one EU member state, you'll need to identify your lead data protection supervisory authority (whoever's in charge of data protection in that country/location) and document it. You can find more guidance on this here

What if I can't get my head round any of this?

Keep in mind that there's a fair few months between you and this deadline, so if you haven't started with this yet, that's ok. Read up on the GDPR and the requirements for your business, and don't be afraid to ask for help from the ICO (or your friendly IT support team) if you need it. 

It might seem a little overwhelming on the face of it, but a lot of the GDPR requirements will build on your pre-existing privacy regulations. You'll have a lot of data protection policies in place already, and adjusting them to meet the requirements for the GDPR will help you check and consolidate them. 

Check whether you're ready for the GDPR with this quiz from the ICO

Categories

Latest posts

0191 482 0444

Enquiries

We value your privacy
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Click here to read the latest comments from our customers

The Transcendit Way

Transcendit understand that when you choose to work with us, whether we're taking care of your IT, app or web development, you're trusting us with part of your business. So whether we're looking after your computers, phone systems or servers we always do things 'the Transcendit way'.

The whole of our team adhere to the same values, beliefs and policies - the principles that were written when Transcendit first formed in 2000. Whether you come to us for cloud services or recovery backup you can be confident that you'll always receive the same excellent service.

The Transcendit way outlines how we do business; following the same straightforward principles with every client and customer, regardless of how big or small they may be.

That means we get to know you and your business. We offer you a friendly, professional and efficient service, and we'll always be honest with you.
We understand that not everybody speaks fluent IT, so we try to explain things in a way that is simple and clear. We always spend as much time as is necessary explaining things to you.
If you need to talk to us about something, no matter how insignificant, we are only ever a phone call away – and we’re never too busy to make you a cup of tea and have a sit down with you in person.
We understand how frustrating it can be when things are late. When we schedule an appointment with you, we are there when you’re expecting us. If something prevents us from getting there, we always call you in advance to let you know.
Sometimes things can go wrong, but we never lie to you or try to cover something up. If things go askew we tell you what’s happened and how we plan to prevent it affecting your business.
We want you to continuously benefit from working with us. We regularly discuss your business and make suggestions for improving systems and processes wherever we can – but we never try to push you into a purchase.
When we quote a fixed price, that's always the amount we charge – you won’t find any nasty surprises on a bill from us. If you are paying by time and materials, we inform you if our approximations could change.
We understand the importance of privacy for your business and your customers. We respect the confidentiality of your data, and we will never pass on your information to third parties.
We appreciate it when you take the time to give us feedback. A system called CustomerSure records our client's responses, so you can trust that our reviews are from real people.
Find out what they're saying here.
As always the support team are efficient and effective. Darlington Golf Club

Based on 12075 reviews our customers rate us 9.8/10. Reviews and ratings by Customersure. 09-October-2024

Transcendit are proud sponsors of CHUF, the Children's Heart Unit Fund.

Transcendit is a Living Wage employer
Transcendit is a Microsoft Gold certified partner
VMWARE partner
Vipre partner
IPCortex partner
WithSecure partner
DELL partner
Barracuda partner
Veeam partner
N-Able partner

Copyright © 2024 Transcendit Ltd, a limited company registered in England and Wales No. 4041370. VAT No. 747 2063 34.
Cookies | Terms and Conditions | Data Protection and Privacy policy | Newsletter | Partners | Careers | Sitemap | Facebook | Twitter
IT support Newcastle | IT support Gateshead | IT support Durham | IT support Sunderland | IT support North East

Cyber essentials certified