The new General Data Protection Regulation (GDPR), is now approved by the EU Parliament and will come into force May 2018.
In the wake of Brexit, The GDPR applies to organisations located within the EU and will also to apply to organisations located outside of the EU if that offer goods or services to, or monitor the behaviour of, EU data subjects
Business New Wales asks: How can Welsh Businesses Prepare for the GDPR?
Lowri Phillips | Partner
Your starting point should be to ensure that key members of staff (e.g. your head of HR, Marketing, IT and customer relations), receive appropriate training on the GDPR so that they are able to begin evaluating the impact of the new legislation on your business and, ultimately, implement the necessary changes. Form a GDPR working group from within these key departments to drive forward your GDPR compliance project.
- An essential factor in achieving compliance with the GDPR is ensuring that you understand what personal data your organisation holds, where it comes from, what you do with it, who you share it with, how and where it is stored and for how long and where in the world it goes. Your next priority, therefore, should be to undertake a comprehensive review of your businesses’ data processing activities and to compile a personal data inventory recording the information.
- Following your data inventory exercise, you’ll need to consider where your main risk areas are. These might include having inadequate privacy notices, no clear legal basis for processing personal data, inadequate security or frequent transfers of personal data outside the EEA. The risk areas will vary from business to business. There is no quick fix or stock answer, but your personal data inventory will help you to prioritise the steps your business needs to take.
The Information Commissioner encourages businesses to see the need to comply with the GDPR as an opportunity – a carrot rather than a stick – to modernise their data protection practices and gain customer trust. In our view, it’s a fairly small carrot and a very big stick – but seeing as non-compliance is not a realistic option, why not embrace it? You never know, it might provide you with a competitive edge!
Information Commissioner’s Office
David Teague | Regional Manager for Wales
There’s less than a year to go until a big change in data protection law which means if you’re responsible for people’s personal information, you need to be preparing for that change now.
New legislation called the General Data Protection Regulation (GDPR) will come into effect in May 2018 in the UK via the Government’s Data Protection Bill, and will bring a more 21st century approach to the processing of personal data.
The new reforms place more obligations on all businesses, including those in Wales, to be accountable for their use of personal data. You’ll need to think carefully about the way you deal with customers’ and staff records, and if you’re working alongside Welsh public authorities, you may need to demonstrate your compliance with the new law as part of your working agreement….
View David’s full submission on ‘Why SME’s Must Act Now for GDPR‘
Richard Turner | CEO
The digital economy is primarily built upon the collection and exchange of data, often including large amounts of personal data. Growth in the digital economy requires public and B2B client confidence in the protection of this information and Companies need clear guidance, advice and support to implement these new policies.
I’m concerned that there may be a confusion on how to implement the new GDPR rules and suspect that many companies will not be prepared for the deadline. This will be a key component of business strategy going forward.
West Cheshire & North Wales Chamber of Commerce
Matthew Hodgson | Policy & Communications Manager
There is now under a year to go until the General Data Protection Regulation comes into law on 25th May 2018. From this point, businesses across the UK that hold personal data will need to guarantee that their data procedures are fit for purpose and compliant with the new regulation.
It is imperative that businesses across Wales take action now to prepare for these changes as businesses that are found to be non-compliant risk potential fines up to €20m or 4% of annual worldwide turnover.
Steps for businesses to take include:
- Document what personal data the company holds, where it came from and who it is shared with. Firms may want to consider organising an information audit or speaking to a data expert.
- Review current privacy notices and plan for any necessary changes needed before the implementation deadline.
- Check procedures to ensure that they cover all the rights individuals have under the new rules, including how to delete personal data or provide data electronically if needed.
- Review how the company seeks, obtains and records consent from individuals, and whether any changes are necessary.
- Ensure the right procedures are in place to detect, report and investigate a personal data breach.
- Determine whether a Data Protection Officer is required, and designate one if so, to take responsibility for data protection compliance and assess how the role will sit within the organisation.
Graham Leslie Morgan | Managing Director
By 25th May 2018 your need to have in place the processes and procedures that will protect you from the far reaching implications of this legislation. Whilst initiated in Europe it will be implemented in the UK and you will need to ensure your business is not exposed to the HUGE fines that could be imposed for non-compliance.
Whilst the measures proposed are intended to minimise the risk of breaches and uphold the protection of personal data which is entirely understandable in a digital age it will involve SME’s in more red tape. There will definitely be a need for Business Owners to ensure they have a very clear plan to ensure their policies and procedures are fit for purpose and protect them fully from the implications of any breaches. As importantly a training and awareness program for all staff to ensure compliance with what is expected of them when dealing with personal data will be key.
As in all situations where new legislations comes into force the sooner you look at getting a plan in place for your business the less impact it will have on day to day operations come 2018.
Alex Parr | Managing Director
The GDPR is designed to give individuals more say in what data they allow organisations to hold and more transparency in how this data will be used. Each item of personal data held must be legally justified, and, where appropriate, obtained with positive consent.
What this means for Welsh businesses is that we will have to review the data we currently collect from clients, employees, and suppliers. We then need to ask ourselves why we need it, and whether we can legally justify collecting it.
Once we’ve established what’s necessary and justifiable, we then need to decide if a consent form or a privacy notice is more suitable to go alongside the data collection form and get these drafted up ready to accompany application forms, surveys, and the like.
With enough research and a planned, methodical approach, it should be straightforward to ensure our organisations comply.
Kerry Beynon | Data Protection Expert
For some businesses in Wales, GDPR compliance will only involve a small amount of work, but for others it will be a major task.
It is not enough to assume that your current data protection procedures are enough.
GDPR compliance should be viewed as an opportunity to review current data collection and storage systems and processes and make them as safe and secure as possible.
Start with a thorough audit of what data you collect, how it is collected, why it is collected and by whom. Ensure senior management is on board and go through your business methodically, department by department.
Are your storage systems secure? Do you have appropriate contracts in place with third parties?
The GDPR is not just about compliance; you have to actively demonstrate you are complying and show how. If you are launching a new product or service compliance should be something you consider at the outset and not an afterthought.
Paul Collins | Business Manager
In May 2018, the new General Protection Regulation will be introduced in the UK, making significant changes to the way that employers handle their employees’ data.
This will build on current legislation and provide more protection for consumers and more privacy considerations for organisations. It will put the onus on companies to change their “entire ethos” on data protection with the main focus on increased accountability and transparency to how organisations hold data.
The Government will be given some leeway to make its own law on data protection, so employers should continue to keep an eye on developments in this area.
With maximum fines increasing so significantly, employers must be sure they are comfortable with the changes. The starting point is likely to be a review of all data protection documentation in place to ensure it remains valid.
Matt Sutton | Director
With less than a year until the GPDR comes into force we would encourage Welsh businesses to start preparing now to ensure that they are compliant with the new legislation. Under the GPDR, all organisations operating within the EU that hold personal data will be affected by these new rules and will therefore need to ensure that their data procedures are compliant with the new regulations.
So what can you do to protect your business?
- Review all current data held by your business – audit your consents and document where the data has come from and who it has been shared with.
- Review current privacy and policy notices and ensure that they are compliant with the legislation – you may need to start making changes to current policies.
- Ensure you have a procedure in place to detect and deal with any personal data breaches – consider the use of a Data Protection Officer if necessary.
Simon Renault | Head of Special Projects
GDPR will affect every Welsh business regardless of size, revenue or sector, and so it is key that companies begin to review their procedures now to ensure all data collection and processes are GDPR-compliant by May 2018. SMEs account for 99% of Wales’ companies, and these smaller businesses might be concerned about their capability to cope with what may seem a complex task. For those who want free advice on how to future-proof their business ahead of the new legislation then David Teague from the Information Commissioner’s Office and John Davies, Chair of South Wales Cyber Security Cluster, will be discussing GDPR and how this will affect Welsh businesses at Digital. The free festival will be held in Tramshed Tech & Tramshed in Cardiff on the 18th – 19th September 2017, transforming the space into a hub of more than 2,000 digital innovators, entrepreneurs and investors, making connections, doing business, and talking tech.
Richard Thomas | Employment Lawyer and Partner
All organisations – regardless of sector or size – will have to comply with the new GDPR. Welsh businesses need to make sure they’re putting their responsibility to safeguard individuals’ personal data at the heart of their practice.
Conducting a thorough assessment of their current practice – looking at why they’re collecting data, and how they’re processing it – is a key first step for all organisations. Under GDPR an individual’s consent to the collection and processing of their data must be specific, informed and ‘freely’ given and can be withdrawn at any time. So, businesses are going to have to think much more carefully about the legitimate reasons they are using employee and customer data – and rely upon these reasons, rather than consent.
This increased level of transparency of information means a fundamental culture shift – and is something all businesses will have to get used to. Failing to comply could mean enforcement action – damaging for any business’ reputation, as well as their bank balance.
If you would like to find out about joining the Business News Wales Expert Panel or contributing to Business News Wales, contact Chris McColgan at [email protected] or call 02920 376 122