30 May 2017
The British Chambers of Commerce have released guidance on how businesses can prepare for upcoming changes in Data Protection responsibilities.
The changes will come into force on the 25th May 2018 and, although the General Data Protection Regulation (GDPR) is an EU initiative, UK businesses will be expected to comply with the new regulations after Brexit. Businesses that fail to comply with the new regulations could be fined up to €20 million or 4% of their annual worldwide turnover.
David Riches, Executive Director at the British Chambers of Commerce (BCC), said: “Businesses need to be proactive about ensuring they are ready for the new data protection regulations when they come into force this time next year, and not leave preparations until the eleventh hour.
“Those firms that don’t fulfil the necessary responsibilities leave themselves vulnerable to tough penalties, not to mention public scrutiny.
“With twelve months to go, there are a number of procedures businesses should be reviewing to determine what changes may need to be introduced to be compliant. Businesses that are already vigilant about their data protection responsibilities won’t be unduly burdened by the new legislation.
“The General Data Protection Regulation is intended to reflect modern working practices in the digital age, and will strengthen consumer trust and confidence in businesses. It will establish a single set of rules across Europe, which will make it simpler and cheaper for UK companies to do business across the continent, even after we leave the EU.”
The BCC have outlined some initial steps that businesses can take to ensure compliance with the GDPR:
- Document what personal data the company holds, where it came from and who it is shared with. You may want to consider organising an information audit or speaking to a data expert
- Review current privacy notices and plan for any necessary changes needed before the implementation deadline
- Check procedures to ensure that they cover all the rights individuals have under the new rules, including how to delete personal data or provide data electronically if needed
- Review how the company seeks, obtains and records consent from individuals, and whether any changes are necessary
- Ensure the right procedures are in place to detect, report and investigate a personal data breach
- Determine whether a Data Protection Officer is required and designate someone to take responsibility for data protection compliance and assess how the role will sit within the organisation.
For more steps on preparing for the General Data Protection Regulation, please refer to the Information Commissioner’s Office checklist.