GDPR & You

On the 25th of May, 2018, the new EU General Data Protection Regulations (GDPR) came into force. It replaces the Data Protection Act 1998.

This could have major implications for businesses that gather and use personal data.

You might be wondering why this is relevant, since article 50 has triggered the UK leaving the European Union. In fact, the government has confirmed that leaving the EU won’t affect the initiation of the GDPR in the UK.

With implications on business’s processes, includingconfidential waste disposal,companies across the country will need to prepare for this new law. We have therefore put together this helpful guide to understanding just what the GDPR means to you and your business.

Why are the General Data Protection Regulations being introduced?

Back in 1998, when the Data Protection Act first came into force, the world was a very different place. Over the past 20 years we have seen immense changes in technology and the way that individuals and businesses use it in completely new ways.

The GDPR reflects the current use of the internet, mobile and smart devices, social media and e-commerce in relation to the collection of data. New technology has also impacted massively on the way that businesses and organisations use the data they collect from their customers, clients and consumers.

The intention of the General Data Protection Regulations is to bring the law into line with the way technology is used and give people more control over their personal data. It will also standardise some of the ways businesses can communicate with the people whose data they have access to.

How will it affect business?

Any business that collects data of any kind will be affected. However, it will potentially impact some firms that weren’t previously affected by the Data Protection Act.

GDPR looks at the location of the customer rather than the business. If an organisation has customers who live in the EU, the regulations will still apply to them, even if they are based outside the EU, as the UK will be following Brexit.

What do the new regulations say?

The GDPR asks firms to be more transparent about how they store, keep and process data. The rules on how companies use this data are also going to be a lot more detailed.

Explicit consent will need to be given before any data can be gathered. Rather than giving them the opportunity to opt out of providing their information, they will be required to actively opt in. They will also have the right to change their minds at any time.

What penalties will be issued?

Non-compliance with the new regulations could result in hefty fines of up to €20m, or 4% of a company’s global turnover.

If a data breach releases information relating to a group of people they could join forces against a business under the collective action initiative.

What do you have to do?

All legal documents referring to accessing information, including privacy policies and data processing agreements, will need to be updated to reflect the new regulations.

Businesses will also need to create processes that seek explicit consent for taking data and gives people access to modify and delete it, should they want to.

You might need to create a new code of conduct that highlights the implications of the new rules and how to apply them.

Data disposal and destruction

As you can imagine, the ethical and secure disposal of sensitive documents and records that are no longer needed is an important aspect of GDPR.

Given the new guidelines, this will also relate to the point when people decide that they don’t want their information to be held any more. When documents need to be destroyed, you’ll need to find the safest, most reliable way that ensures they can’t be recovered.

A regular shredding service offers a safe and secure means of destroying paper records. It’s also worth remembering that hard drive destruction will allow you to dispose of digital media, ensuring that any information can’t be accessed.