Last updated: 08.09.17

5 things you should be considering when it comes to GDPR

All businesses and organisations across the UK have to comply with the European Union’s General Data Protection Regulation (GDPR). There’s no shying away from this legislation, even in post-Brexit Britain. It’s something businesses need to address or face damaging fines.

Probably the most significant impact of GDPR is on the way marketing communications are sent to customers and how personal data and information is handled and stored. Companies failing to follow the rules can be fined up to 20 million euros (£17 million) or four per cent of the global annual revenue - whichever is the greater amount.

Since the introduction of GDPR the ICO has recorded an increase of 160% in the number of complaints they receive, however they are yet to issue any fines under the new penalty structure.

Here are the five things your business should be considering when it comes to GDPR

  1. Data breach protocol

Major data breaches are becoming more and more common, with some of the biggest names in technology falling pretty to hackers. It’s essential for businesses to have a data breach protocol in place to support GDPR compliance.

The aim is to create a plan for dealing with any breaches that may occur, describing the nature and likely consequences of one along with the proposed measures of mitigating its possible effects. This way, organisations can to identify the data that was taken, and where the breach occurred.

  1. Privacy policy

Any business or organisation should ensure their privacy policy is kept up to date, as regulations around GDPR evolve and adapt from its initial launch. It should also evolve in line with changes to internal processes and structures.

Instead of waiting for GDPR to directly impact their company (this could very well be in the form of heavy fines if they fail to comply), employers should adopt a proactive stance by reassessing their current business strategy.

  1. Personal information

It’s essential to know and understand what personal information your company is storing, and why, as this is a central concern of GDPR. Under GDPR, personal data includes names, addresses, telephone numbers, account numbers, email addresses and IP addresses. PII data (personally identifiable information, can be client data or employee data and can be stored across different digital and physical repositories.

To ensure you’re compliant with the regulations, you need to follow the rules around why you collect personal data and how you store it, and for how long.

  1. PII (Personal Identifiable Information) data

To handle your PII data under GDPR, you’ll need to establish your procedures for where and how each type of data is stored, and stick to these procedures. You also need to make sure personal information is accurate and you have a legally valid and necessary basis for collecting and storing it.

Part of this basis is getting consent from the individual whose data you’re collecting, who then also have the right to access their data, and request for its deletion. This means being open and honest from the start in terms of what you intend to do with the data.

All your employees whose job responsibilities involve working with PII data should be given relevant training, and its worthwhile for everyone to be aware of the principles of GDPR to ensure compliance across your business.

  1. Privacy policy

Setting out your privacy policy is standard business practice, but GDPR stipulates that it should be clear and understandable for the user. Whereas before, these policies could be impenetrably long and complicated and full of legal jargon, they now need to be concise and use everyday language. 

Your policy should also highlight an individual's right to opt out of sharing their PII data for internal use or use by third-party companies, as well as show the firm’s stance on data security.

Visit our GDPR hub to find out more information

Related resources