Data Protection Rules are changing in May this year.
Many businesses remain uncertain about what this means for them. Some of the legislation is not yet finalised and this certainly doesn’t help us. Nonetheless, most of the requirements are known and there are things that businesses could and should be doing now, in order to prepare.
Personal data is any information about individuals who can be personally identified from the data that you hold.
New GDPR rules, the “General Data Protection Regulations” state that from 2018 data controllers must:
Have internal procedures in place that explain how data is:
- Collected – keep a record of what explicit permission was given by the data owner i.e. when and how. You need to ensure that the data held is “adequate, relevant and limited to what is necessary in relation to the purposes for which it are processed”.
- Protected – how it is securely stored electronically or on paper
- Transmitted – think about the sensitivity of information sent via email
- Communicated – i.e. how you will respond to a request from an individual to provide a copy of all data held about them, including a request to delete that information (the “right to be forgotten”. Also, individuals have the new “right to data portability”. This means that it must be presented in a “structured commonly used and machine readable form”
- Shared – if you share information with another organisation, you must record what you pass on to them, how, and when.
- Managed – every organisation that holds personal data will need a privacy statement, and be aware that somebody must be designated as the Data Protection Officer.
What’s new is that individuals have greater rights to demand access to their data, and that the requirements for consent to hold and process it are tightening.
Businesses should be well used to operating in a changing commercial and administrative environment, and compliance with the new regulations will not be a great upheaval for data intensive companies who are compliant with existing DPA (Data Protection Act) legislation. For many organisations, GDPR can be seen as an opportunity to make contact with customers who haven’t been in touch for a while.
If you need more information there is plenty of it on the ICO (Information Commissioner’s Office) website:
As an accountancy practice, we need to ensure that our clients’ data is securely held and transmitted, and I’ll be communicating some of these changes with clients over the next few weeks. I’ll also be doing a review of how clients may be impacted themselves, and how we may be able to help. Please do get in touch if you have any concerns or questions.