Changes to the current Data Protection regime come into force next May. Given the significant fines (up to €20 million or 4% of global turnover) for breach of the new General Data Protection Regulations (GDPR), it will pay to be fully prepared. One thing no business wants is to be the subject of front page headlines about data breaches and big fines.
Data protection law regulates the collection, storage and processing of any data which could identify a living individual. Where your business holds identifiable information relating to any individual (whether they be customers, staff or tenants) the GDPR will apply.
Although getting to grips with the new regime is daunting, these key questions (though far from exhaustive) focus on key compliance areas:
- Breaches: How secure are your IT systems and processes. If your personal data is hacked, would you know – and how quickly? Under the GDPR, all data breaches must be reported to the Information Commissioner within 72 hours, unless you can demonstrate the breach is unlikely to be a risk to the affected individuals.
- Processors: Where you store personal data off-site, or where you pass it to other companies (e.g. a third party marketing company), do the contracts you use with them properly govern how personal data is handled? The GDPR requires that all arrangements between businesses, and those who process data for them, must be captured in a written agreement that includes a range of specific criteria. As a result, standard contracts and policies will have to be up dated.
- Marketing consent: Crucially for hospitality businesses, who often rely on promoting offers to their customer base electronically, in order to send e-mails about your services to individuals, you will need specific and clearly-communicated opt-in consent. You must be able to prove that you have this consent, and where you got it (for example, collected from a feedback card after a visit to your site). In most cases this also means refreshing existing consents. If not, most of your carefully harvested marketing data may be unusable after 25 May 2018.
- Knowing your Data: Do you have a clear picture of how personal data flows through your organisation, and is this captured in an easy-to-find document? The GDPR requires not only that you be compliant, but that you are able to demonstrate that compliance at every stage should the Information Commissioner’s Office come calling.
GDPR compliance takes time – if you haven’t started already, focusing on your processes now could avoid a costly surprise later on.
For an overview of what is covered by the Regulations, click the link to see our useful GDPR data card.
The content of this page is a summary of the law in force at the present time and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.