The GDPR ( European General Data Protection Regulation) deadline is 25th May 2018
GDPR regulation for small businesses is a hot topic, Most businesses hold data on individuals which falls under the scope of the new regulation.
If you do use or store personal information, and this information relates to someone that can be identified, you are referred to in the Act as a ‘data controller’.
The government has confirmed that Brexit will not affect the GDPR start date, or its immediate running. It’s also confirmed that post-Brexit, the UK’s own law (or a newly-proposed Data Protection Act) will directly mirror the GDPR.
If your organisation deals with personal data, you must ensure that you consistently act in accordance with the eight key principles set out in the Data Protection Act.
1. Personal data must be processed fairly and lawfully
This is among the most important requirements of the Act. In order to comply, you must provide individuals with the name of your business, and details of the purpose for which their information will be used. You should make it clear that the individual can access and correct the information that you hold about them.
Crucially, you must also tell them if the information will be used in any way that is not immediately obvious. For example, you must tell the individual if their details will be passed on to credit reference agencies.
2. Personal data must be processed for specified lawful purposes
You must have a specified, lawful reason for collecting data; you cannot simply collect it speculatively. Furthermore, you cannot use the data collected for another, “incompatible” or unlawful purpose.
3. Personal data must be adequate, relevant and not excessive
You should only collect the bare minimum; you may not collect information that is not immediately relevant to the specified purpose, and you may not collect more information than you need.
4. Personal data must be accurate and up to date
Any information you hold must be factually accurate, and updated where necessary. Depending on the nature of your business, you may need to develop mechanisms that allow individuals to update their details quickly.
5. Personal data must not be kept for any longer than is necessary
If the purpose for which you collected the data is time-limited, you must ensure that the data is not retained once it is no longer needed. Where applicable, you should tell individuals how long the data is likely to be retained for.
6. Personal data must be processed in accordance with the rights of individuals
The Act sets out the rights of individuals, as well as the responsibilities of data controllers. You should make sure that you understand these rights, and act in accordance with them.
7. Personal data must be kept secure
You must take adequate steps to ensure the security of the data. This means that it should be safe from tampering, loss, or unlawful processing. You may need to develop both technical and organisational processes to help you deal with this obligation.
8. Personal data must not be transferred outside the European Economic Area without adequate protection
Data may only be transferred out of the EEA if the country to which it is being transferred has adequate legal protection for individuals and their details.
As well as ensuring that you abide by the eight key principles, you may also be required to notify the Information Commissioner’s Office (ICO) of your activities. The Act works on the basis that all data controllers are required to notify, but some exemptions are available. If you are not exempt but you fail to notify the ICO, you risk prosecution.
You may be exempt from the notification requirement if:
you only process data for the purposes of: staff administration; payroll; advertising, marketing and PR that are directly related to your own business activities; or accounts and record-keeping
yours is a not-for-profit organisation
data is only being processed for personal, family, or household affairs
you only process data in order to maintain a public register
or if no automated system, like a computer, is used in the processing of data
You can use the ICO’s online checker tool to see if your business is exempt from registration.
If you do need to register, you can do this on the ICO website. Registration generally costs £35 per year.
If you don’t comply with the Data Protection Act, you could face serious penalties, including a fine of up to £500,000. If you are in doubt, seek advice from the Information Commissioner’s Office, or from an independent legal professional.
Please take a moment to check out our website for tools, welding plant and consumables, fasteners, and a wide range of industrial products.
