The aim of the GDPR is to give EU citizens more control over how their data is handled. Businesses are required to ask a person before collecting their data, specify how they will be using the data, and who will have access to it. Data can then only be retained for a limited period. Ultimately, the rules aim to restore public confidence.
The GDPR will come into effect before the UK has left the EU. UK politicians have also indicated that any future data regulations will look very similar to the GDPR.
Any business or organisation that processes or controls data belonging to citizens residing in the EU must comply with the new rules.
Adhering to the rules specified in the GDPR will become mandatory for UK businesses on 25 May 2018, and businesses that fail to comply may face heavy fines.
◦ Businesses must only hold data for as long as is necessary, and must only use it for the purpose for which it was obtained. This means, for example, that data obtained from unsuccessful job applicants should be deleted at the end of the recruitment process. If an HR team wants to hold onto data for other purposes, they must expressly ask for the user’s permission.
◦ When data is retained, it should be stored in an encrypted format to reduce the likelihood of a successful cyber security breach.
◦ The rules also apply to employees in your business. If an employee leaves the business or is fired, you can only keep a limited portion of their data.
◦ Data should only be used for its intended purpose, and not shared outside of the company.
◦ All client or user information that your business handles should only be shared on a need-to-know basis.
◦ This means your staff should not be able to access an individual’s or company’s records unless they are specifically working on them.
◦ If data is being processed or stored remotely, your company must take steps to ensure that the third party has adequate security procedures.
◦ Companies must share details of how they collect, process, and store individual’s data.
◦ They must also make a person’s data available to them if they request it.
The Information Commissioner’s Office suggests that the first step for preparing your business for the GDPR is to arrange GDPR awareness training for your staff. The training should teach them how they should collect, handle, and process data, and about the key principles of GDPR such as purpose limitation and confidentiality.
Integrated Resources has teamed up with Yellow Room Learning, a leading provider of Cyber Security, Data Privacy and GDPR Awareness Training, to help bring your employees up to speed.
Please get in touch if you would like support in getting GDPR-ready.