GDPR stands for the General Data Protection Regulation and was introduced by the European Union (EU) in May 2018. GDPR was designed to give individuals more control over their personal data and to harmonize data protection laws across the EU member states.
The main points of the regulation involve:
- Data Subject Rights: GDPR grants individuals a range of rights concerning their personal data, including the right to access their data, request its deletion, and object to its processing.
- Data Protection Officers (DPOs): Certain organizations are required to appoint a Data Protection Officer (DPO) responsible for overseeing data protection strategies and compliance with the regulation. Companies in the UK registered with the Information Commissioner’s Office (ICO) will already have a DPO in place. The ICO has quite a lot of information on GBPR, details of which can be found via the following link:
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/ - Data Breach Notification: Organizations are obligated to report data breaches to relevant authorities within 72 hours of becoming aware of the breach, and in some cases, they must also notify affected individuals.
- Consent: Organizations must obtain clear and unambiguous consent from individuals before collecting and processing their personal data. Consent should be easy to withdraw.
- Data Portability: Individuals have the right to request their personal data in a commonly used and machine-readable format so that they can transfer it to another organization.
- Privacy by Design and Default: Organizations are required to integrate data protection measures into their processes and systems from the outset (privacy by design) and to ensure that data is only processed to the extent necessary for the specified purposes (privacy by default).
- Penalties: GDPR imposes significant fines for non-compliance, with fines of up to €20 million or 4% of a company’s global annual revenue, whichever is higher.
- International Data Transfers: GDPR also includes provisions regarding the transfer of personal data outside the EU to countries that do not provide an adequate level of data protection. Special mechanisms, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), may need to be used to ensure data protection compliance in such cases.
If you have a business in the UK, it’s best to check the guidelines and verify if you are required to register with the ICO. If you are unsure, please check with a lawyer. Whilst we are no longer part of the EU, data protection is something that needs to be taken seriously. Anyone who is a member of the FSB can get free legal advice 365 days of the year at a time and date that is convenient to you.
