Paperstone – Office life, work and fun

Be prepared for GDPR – get your business ready

By Paperstone on January 17, 2018 in Legal


Spring 2018 will bring a new challenge to UK businesses, as tougher data protection laws come into force.

The bar is being raised for standards in data control and processing – and now is the time to prepare.

The new General Data Protection Regulation (GDPR) is an EU law giving extra rights to individuals regarding their personal information and how it is stored and processed. It comes into effect on 25th May 2018.

So, what does this new framework mean for small and medium-sized businesses?

In a nutshell, your customers or clients can challenge the accuracy of any data you hold on them and demand to know how you’re using their personal details. You will have to respond to queries promptly – within a month, rather than the current 40 days – and you won’t be able to charge for providing a response.

Depending on the type of business you run, individuals may have the right to be forgotten (to have their personal data removed from your system) unless there is a watertight, legitimate reason for keeping it there.

In some situations, individuals can withhold consent for data-processing or request that you transfer their details to another organisation.

There are multiple enhancements to individuals’ rights that you need to be aware of. To find out how this affects your business, start with the Information Commissioner’s Office (ICO)

Failing to prepare for this change in the law could land your business in hot water, as non-compliance may attract crippling fines, even for very small businesses. Once GDPR becomes law, there is no further period of grace.

Here are a few tips on preparing for GDPR:

  • Carry out an information audit across your organisation. Document what personal data you hold, where it originated and who you share it with.
  • Educate your key personnel on the GDPR and work together to identify where improvements are needed. Check that your procedures cover all of the new rights that individuals will possess. Agree a timetable for implementing new procedures ahead of 25th May.
  • Review existing privacy notices. Under GDPR you’ll need to clarify your lawful basis for processing the data, your data retention periods, and the fact that people have the right to refer to the ICO if they have a complaint about how their data is being handled.
  • Review how you seek, record and manage consent for storing and processing data. Refresh existing consents if they don’t meet the GDPR standard (read the in-depth guidance from the ICO). If you provide services to children, obtain consent from parents or guardians.
  • Plan procedures in advance to deal with any data breach that may occur after 25th May – there are strict rules about reporting breaches.

These tips are for general information only and you will need to study the requirements of GDPR in depth and apply them to your organisation. Checklists are available from ICO.




If you enjoyed this article, subscribe now to receive more just like it.

Comments are closed.