Are We All Ready for Compliance With GDPR? Oh, You Are, Are You? Good For You.
If you are all ready for GDPR, Feel free to leave the room.
For the rest of us, read on.
The deadline for compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) is approaching, and Brexit will not save us.
On 25th May 2018 any business with European clientele needs to comply with the principles of the Regulation. Or what? you ask. A slapped wrist and a formal letter requiring you don’t do it again?
How does a fine of 20 MILLION Euro, or 4% of your turnover whichever is GREATER sound?
That’s going to make people take notice I think: speaking for myself, I am not too keen on dropping €20 million every few weeks.
Now I am not claiming expertise in these matters, I imagine that I am in the same boat as most of my readers who are in business and interact with clients on the internet. Which is, aware of the existence of the Regulation, aware of the need to comply with it, and a bit concerned as to how to go about that.
So if I share my thoughts with you, can I ask you to share with me please? Do please tell me how you are setting your own businesses up.
Seems to me, that the requirements at base are that each business must
1 Comply with the GDPR, and
2 Be able robustly to resist any suggestion that it has not done so.
Or to put in a different way, if challenged, or if any data is ever stolen from us, we must be able to show evidence that we have considered the requirements of the regulation, decided how best to comply, and actually complied.
The best, perhaps only, way to demonstrate this is to start from the position of having a business-wide DATA PROTECTION POLICY.
This is a document which does not need to be published or available on the internet for everyone in the world to read, but it needs to be agreed by the business, shown to all employees, available to all at any time. And once it has been prepared, it needs to be followed.
So whilst the document above does not need to be published, there is then a further document which very much does need publication. Every existing contact now, and then every new contact of the business, for whom you hold any data (so that’s all of them) needs to be made aware of their rights and your obligations in respect of those rights.
You need to issue this, the PRIVACY NOTICE.
This explains what data you will retain and how you will process it. It gives contacts the option of saying “I don’t agree” – in which case they can chose to go elsewhere. Much like the website boxes we all tick to say – I agree with your terms and conditions. What do you mean, you never read terms and conditions? Shame on you.
And in order to avoid that 20 million Euro fine, it would be handy to be able to prove that the Privacy Notice has actually been issued. The obvious way is to include it [or a link to it on your website] in every email sent from your business.
That still leaves the occasional contact who wanders into your office in person, or the person who has not yet joined the internet/email revolution. Yes, they exist.
Those people need to be handed written copies of the Privacy Notice, and ideally you might give them two, one to keep, and one to sign and return to you for your file.
Whether or not your Privacy Notice says so [and I would say it should do] your contacts will have rights – rights to view the data you hold, rights to correct mistakes in it, sometimes rights to have it erased. You need to understand what rights they have, so that you can implement them on request.
So if you do all that this week, come back next week for part two.
As I have said, I am learning this as I go, so if I am one page ahead of you, that’s fine.
If I am actually far behind you, do please drop me an email and help me to catch up!
And in the meantime, as ever – our message to you is, for documents for use around the world do contact me or Louise Morley here at AtkinsonNotary E7 Joseph’s Well Leeds LS3 1AB, phone 0113 8160116 and email email@example.com or via the website http://www.atkinsonnotary.com