News Article

General Data Protection Regulation

A new data privacy law, the General Data Protection Regulation (GDPR), comes into force in May 2018, overhauling current data protection legislation.

GDPR increases consumer rights over the way their data is collected, maintained and shared. It must be met by anyone handling personal data of EU citizens, and no business is exempt.

Personal Data refers to anything, from a name, home address, photo, email address, bank details, medical information or a computer's IP address'.

If you handle EU citizen data, you will need to comply with the new regulation, ideally by having someone in your business responsible for data protection and ensuring you gain a customer's consent before using their data (using the 'opt in' rather than current 'opt out' mechanism).

There will also be a requirement to notify customers and report any breach of personal data to the Information Commissioner's Office (ICO) within 72 hours.

Basic steps a business can take include ensuring key people are aware of GDPR. Businesses should document the information held, where it came from and how you use it.

Check procedures that cover the rights of an individual's data, including how you delete records and how you transmit data. Plan who has access to data records and who has the ability to amend and update them. This ensures a transparent audit trail.

Confirm the legal basis you have for using data held and document it. Review the way you obtain data with particular regards to obtaining and recording consent for its use from individuals. Plan how you verify ages of individuals when data gathering to ensure if dealing with minors parental/ guardian consent is obtained and recorded.

Ensure you have procedures in place to detect, investigate, and report a personal data breach and use a Privacy Impact Assessments and understand how to implement them within your business.

Designate a Data Protection Officer. This must be a responsible person as the role should sit within your company's governance. If you deal internationally, you will need to determine which supervisory authority you come under.

Our advice is act now to ensure you are ready to comply with GDPR and consider comprehensive Cyber and Management Liability insurance which can provide financial and practical assistance in the event of a personal data breach.