The General Data Protection Regulation is a new set of rules that governs the privacy and security of personal data and replaces the Data Protection Act.
GDPR will apply from 25th May 2018 and from this date, all companies must be fully compliant.
Any fines imposed for not being compliant are required to be effective, proportionate and dissuasive and can be up to €20 million or 4% of turnover, whichever is the greater.
The definition of 'Data' is more detailed than before and includes online identifiers such as IP addresses.
GDPR applies to both automated personal data and to manual filing systems where personal data are held.
In summary, if you keep any customer or staff records you will need to comply with the new rules.
For processing of data to be lawful under GDPR, you need to identify a lawful basis before you can process the data. You need to identify the lawful basis for the processing and document it, before the processing takes place.
You are expected to put in place comprehensive but proportionate governance measures and in some circumstances, privacy impact assessments and privacy by design are legally required.
These measures are aiming to minimize the risk of data breaches but will mean that more policies and procedures are required.
How we can help?
We are able to audit and provide a gap analysis to identify where work is required to become GDPR compliant.
We can assist with data impact assessments, provide regular support and audits to prove compliance, and have a comprehensive toolkit to make the process of preparing the required policies and procedures as easy as possible.
Visit www.c3c.co.uk or call us on 0330 004 0020 to find out more.