THE General Data Protection Regulation (GDPR) comes into force in the UK next year and all businesses must prepare now for its arrival.
The GDPR is a new legal framework in the European Union and aims to strengthen and unify data protection, giving control back to residents and citizens of the EU over their personal data.
From 25 May 2018, businesses must adhere to new rules and procedures, and given that the Government has confirmed its intention to implement the regulations into UK law, local advisor Hadrian HR is warning companies of all sizes to not ignore the regulation’s implications and put plans into place to prepare for its introduction.
Deb Tweedy, HR consultant at Newcastle-based Hadrian HR, said: “GDPR will affect the running of any organisation, including small businesses who may not have an administration or HR function, so they need to gear up now for the changes coming next year and put systems in place.
“The impact starts with what information must be provided to employees on how their information will be processed, stored and retained. Processors such payroll providers or pension providers will be more accountable in processing business data, and companies will have greater accountability for demonstrating compliance.”
Ahead of the introduction of GDPR, there are certain steps businesses should now take to prepare. Hadrian HR has compiled the following five tips:
- Key people within your organisation who collate and process data should be informed of GDPR, and they should ensure the business has a register of where all information is contained, why it is used and when data is destroyed. Any personal data held must be documented, including where it came from and who it will be shared with.
- At present, businesses must give people certain information when collecting their data, such as how and why it will be used. Under the GDPR, a business must provide additional information, such as explaining their lawful basis for processing the data and how long the data will be stored for.
- Businesses should take the time now to think about how they would react should an individual request deletion of their data, and how they would prove they have deleted the information. Individuals will also be able to request access to their data free of charge and businesses will have to respond within one month, so should make sure they can easily retrieve all personal data if required.
- For the first time, the GDPR is introducing special protection for children’s personal data, particularly in the context of services such as social networking. If a business is working with children, they should think about whether systems need to be put in place to verify an individual’s age and whether parental or guardian consent is necessary for data processing.
With a sound understanding of the GDPR and what it is asking of all businesses, and adequate preparations put in place, businesses in the UK should be able to transition with ease into the new regulation.