The General Data Protection Regulation
The deadline for General Data Protection Regulation (GDPR) is fast approaching. The implementation date is 25th May 2018. Many SMEs will think that this does not affect their business. This affects all types of organisations who have an EU establishment and also those who transact within the EU.
Under the GDPR, the data protection principles set out the main responsibilities for the organisation. They are similar to those in the Data Protection Act but with additional detail. There is also a new accountability requirement included in the main responsibilities.
The new accountability requirement is a significant addition. The GDPR requires you to show how you comply with the principles. You are required to document the decisions you take about a processing activity. GDPR expects you to put in place appropriate measures to demonstrate you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies. These measures should minimise the risk of breaches and uphold the protection of personal data.
Organisations who fail to comply will face fines from 4% of annual turnover up to £500,000.
The Information Commissioner’s Office (ICO) has published some guidance including 12 steps to take now.