GDPR – a help or a hindrance?

So, for the uninitiated, GDPR stands for General Data Protection Regulations. It’s basically the Data Protection Act (DPA) on speed!

The new regulations, from the European Parliament, will come into force on 25th May 2018, and when they say come into force, they mean come into force. Everyone who holds any personal data of any sort in any way will need to comply. Now, before we go all “what have the European’s done for us”, let’s consider the world we currently live in. Well publicised hacks of international mega-corporates show the importance of cyber security in todays world, but let’s not ‘Talk Talk’ about that now! I actually believe that ensuring personal data security is more important now than ever and although the introduction of this new legislation may mean we have a few more policies to write surely it’s worthwhile.

Over a series of articles, I will unpack what this legislation means for the small business and what we need to do to ensure that we are compliant.

The first, and I think most important point to make, is that many of the GDPR’s main concepts and principles are much the same as those currently under DPA, so if you are complying properly with the current law then most of your approach to compliance will remain valid under GDPR and that’s the starting block upon which we will build. Now, whether you are compliant under DPA is something you will need to assess but I’m going to aim my articles with a view that you are.

It is essential to plan your approach to GDPR compliance now – although the 25th May seems in the future it will come around quickly. You will need to gain a ‘buy in’ from key people in your organisation; for many of you this may only mean a conversation with yourself, something I do regularly (although I’m in two minds about that) or with your co-directors. You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions; we’ll come onto that later. The GDPR does place greater emphasis on the documentation that you must keep to demonstrate accountability. One important aspect of this is to review the contracts and other arrangements you have in place when sharing data with other organisations. For myself, I am relishing the moment I approach HMRC for a copy of their data compliance!

Some parts of the GDPR will have more of an impact on some organisations than on others (for example, the provisions relating to profiling or children’s data). So, if I can leave you with any homework now it would be to map out which parts of the GDPR will have the greatest impact on your business model, though please don’t send it in for marking!

Next week we will start looking at the twelve step process for GDPR nirvana – that’s what I’m going to call compliance from now on!!!