At Finnies we assist many firms with their tax and accounting needs, helping them to stay ahead.
With new data protection rules coming into effect, businesses are advised to make sure that they are aware of the changes. Here we provide an outline of the new rules for consideration; further information is available from the Information Commissioner’s Office: www.ico.org.uk.
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018, placing additional obligations on businesses in regard to the safeguarding of personal data.
The GDPR requires all organisations that deal with individuals living in an EU member state to fully protect the personal information belonging to those individuals, and to have documented proof of such protection. The UK's decision to leave the EU has not affected the introduction of the legislation in the UK.
The regulations require a consistent and transparent approach to data processing, and the financial penalties for failing to comply are severe - with fines of up to €20m or up to 4% of total annual worldwide turnover.
While the principles of the GDPR are broadly similar to the existing Data Protection Act (DPA), there are some key changes placing additional obligations on businesses.
The GDPR places a new emphasis on accountability and transparency when it comes to dealing with personal data. While businesses may already be compliant with many of the regulations as covered under the DPA, they are also required to provide documentary evidence of their compliance with the GDPR.
Specifically, the GDPR rules state that businesses must be accountable for their data usage, and must identify a lawful basis for processing personal data.
The GDPR specifies that personal data must be:
The GDPR builds on the existing rights and principles for individuals under the DPA, as well as introducing some additional rights. Some of the key rights under the GDPR include:
The law places particular emphasis on the issue of consent, stating that an indication of consent must be specific, unambiguous and freely given. Positive consent cannot be assumed from inaction, such as failing to click an online 'unsubscribe' box, or from the use of pre-ticked boxes. Businesses also need to make sure that they capture the date, time, method and the actual wording used to gain consent, so it is important to ensure that your business has the means to record and document such information.
Additional obligations apply to certain organisations and those with more than 250 employees.
Businesses should ensure that they are compliant with the GDPR, as fines for non-compliance may be severe. Some of the main areas to consider include:
Further information and guidance can be found on the Information Commissioner's Office website: www.ico.org.uk.
Connect with us