Here at TAG Accountants Group, we strive to take a pro-active approach with our clients and consequently we now present a “heads up” on the next tranche of legislation that will affect them, being the Genera Data Protection Regulation or “GDPR”.
European data protection laws are changing from 25th May 2018 and this will affect ALL businesses in the UK because the current Data Protection Act (“DPA”) will then be updated to reflect these new GDPR obligations.
Compared to the DPA, GDPR has greater scope, much tougher punishments and harsh judicial remedies for those who fail to comply with new rules around the storage and handling of personal data.
Why is GDPR being introduced?
Since the DPA was introduced in 1998, technology and the internet have developed at such a rapid rate that the DPA is now deemed relatively ineffective. Nowadays, the ease and sophistication of data collection means that thousands of SMEs not only collect personal details, but store, move and access them online. This personal data is likely to be used in a variety of areas, e.g., regarding sales, customer relationship management and for marketing purposes.
Cybercrime is also growing rapidly and, in 2016, it is estimated that companies in the UK lost more than £1billion due to cybercrime. Major data breaches have given criminals access to data such as names, birth dates and addresses, social security and pension information.
A recent report from the Federation of Small Businesses (FSB) claims that SMEs are now more likely to be targeted by cybercriminals than their large corporate counterparts as cybercriminals consider SMEs somewhat softer targets!
Consequently, GDPR is considered a necessity for the protection of data in a modern internet based society and its introduction creates the opportunity for businesses to take a fresh look at the data they hold and its underlying security given that data breaches would at the very least also impact a business’s reputation, to say nothing of impact of GDPR penalties themselves.
So, what does GDPR mean for your business?
In future, a business must keep a detailed record of how and when an individual gave their consent to store and use any personal data. Furthermore, and unlike with the DPA, this must now be in the form of a positive agreement to do so and cannot be inferred from a pre-ticked box. Customers or individuals will also have the right to withdraw that consent, in which case details are to be permanently erased.
This means businesses will also need to review their existing data and delete any that they no longer have a valid reason to hold and the GDPR sets out the various legal bases for processing such personal data; such as needing it to perform a business contract.
In any event, data must be kept securely and consequently each business would be best advised to undertake a review of current practices to minimise the likelihood of any future data breaches. Personal data is a key tool for SMEs looking to target and retain customers and GDPR means it must now be handled even more carefully.
We believe that your business should start planning for the GDPR now and we recommend undertaking an Information Audit as a first step. May 2018 is not far away!
How can we help?
Here at TAG Accountants we have produced an Audit Checklist of the actions your business should undertake before 25 May 2018 in the form of a compliant Policy framework to confirm firstly it has the correct permissions and secondly that any data is stored as securely as possible.
For a copy of this Audit Checklist, please complete the contact form HERE or call us today on 01902 783172. If it’s appropriate, we could always discuss all this and anything else that we may be able to help you with over a coffee!
We look forward to speaking with you.
Business Strategy – It’s all in the execution.