Is your business ready for GDPR?

It won't have escaped your attention that new rules covering how businesses use data come into force today. 

The new EU General Data Protection Regulations (GDPR) apply to any business that holds data on an individual.

You can read more about what GDPR will mean for your business here

NPA chief executive Zoe Davies said: "This is a very important change in legislation and all businesses need to be aware about what they need to do to comply with GDPR. The consequences of non-compliance could be quite severe." 

What the new rules mean for businesses

We published the following advice on GDPR in April. Today seems like a good time for a reminder. 

John Smith, solicitor at Burges Salmon explained that the new rules add to the existing Data Protection Act, with four key areas employers should be aware of: Accountability, self-reporting, enhanced rights, and consent.

Farmers will be required to keep data on employees, for example, secure and up-to-date. 

Currently, employees have a right to request to see all the personal data held on them by an employer – this remains the case but, under GDPR, an employer can no longer charge a fee for this and must comply within 30 days, Mr Smith said. Employees can also demand that their data is erased simply by removing consent for their data to be held.

Under the Data Protection Act, employers are required to have valid and justifiable reasons to hold data relating to an individual, so in the case of employees, they often rely on a consent clause in employee contracts, said Mr Smith. However, the legal definition of consent under GDPR has been changed.

“The bar has been raised high and it is no longer safe for employers to rely on this. Employers will now have to rely on contractual necessity to hold data, such as holding bank details in order to pay them, or National Insurance Numbers to comply with HMRC,” he said.

On top of this, employers are responsible for any breaches that occur with a third-party company which is contracted to do work using personal information, such as payroll. “Farmers should review these contracts and add a GDPR clause saying the third party agree to comply, and if they don’t they can indemnify you,” Mr Smith added.

If a company breaches data protection rules it is required to report the breach to the Information Commissioners Office (ICO). For serious breaches you have to report within 72 hours and keep a record, Mr Smith said.

For serious breaches in data protection, including the loss of a laptop or memory stick containing personal information, businesses can be charged 4% of annual global turnover up to €20m (£17.5m). 

With more resources to clamp down on breaches, the ICO will be able to walk into an office unannounced and temporarily ban firms from holding personal information. “On top of this, if an individual suffers losses as a result of a breach, there is no cap on the compensation they can claim," Mr Smith said.

“Your business will need policies and procedures in place to demonstrate compliance with GDPR. This needs to be on-going, day-to-day compliance, with training for relevant staff, and audits on what data you hold and where you’re keeping it.

“The ICO has launched a telephone line to guide small businesses through the process but GDPR is imposing an onerous obligation on employers.”