Our guide to become GDPR compliant

As advisors supporting businesses in the UK, we would like to inform you of the new Data Protection legislation, the EU General Data Protection Regulation (GDPR), and its related implications for your business. We want to ensure that you are aware of the new legislation, what measures your company have to take in order to comply with the regulation, and how Goodwille can assist you in becoming GDPR compliant. This guide provides an overview of the new regulation, and what you can do to ensure you and your business are prepared for the changes to existing legislation.

The GDPR is enforced on 25 May 2018, replacing the existing EU Data Protection Directive. The regulation significantly increases the obligations and responsibilities for businesses in how they gather, use and protect personal data. At the same time it strengthens European citizens’ data privacy and right to access their personal data by setting out additional and more clearly defined rights for individuals whose personal data is stored by businesses.

Below are some of the main considerations on how to prepare to become a GDPR compliant organisation:

Identify problem areas in your business by reviewing and enhancing your organisation’s risk processes

This can be done by making an inventory of all personal data the business holds, why the business holds it, if it is still needed, and if the data is safely stored.

Communicate with your clients and employees

You will need to ensure that your clients and employees are fully informed about how their data is used and that your company has procedures in place cover all the rights individuals are entitled to, e.g. the right to access their data or have it erased from your systems.

Data subject access request

Every individual has the right to make a data subject access request. This means that the individual has the right to obtain all the personal information your company stores about the individual within one month from the date the request was made. You will need to ensure that you have measures in place to deal with any such request within one month’s time.

Consent to store individuals’ data

An individual’s expressed consent has to be freely given for a company to be allowed to gather and store any personal data. Note that an individual cannot be forced into consent or be unaware that they are consenting to their data being stored e.g. through pre-ticked boxes, but the consent has to be actively given by the individual.

It is essential that your business is mindful of data privacy in all ongoing and future projects, as you will face heavy fines if not. The GDPR is based on the one stop shop mechanism signifying that organisations engaged in cross-border processing of personal data will deal with a single lead supervisory authority. Your company’s lead supervisory authority will be the authority of the country in which your business has its main establishment.

To ensure that your business is compliant before 25 May, it’s time to put a GDPR policy in place or draft board minutes to show that your company is working towards becoming GDPR compliant. Goodwille are happy to provide you with further guidance on the GDPR, help set up a company policy or draft board minutes containing information on how your company is working towards complying with the regulation. Get in touch with our Corporate Legal team today for assistance or if you have any questions. This article also provides a good foundation for understanding the GDPR and its implications for your business.