The General Data Protection Regulation (GDPR) is a new law that will replace the current Data Protection Act. It comes into force in the UK and across the EU on 25th May 2018 and, regardless of Brexit, will be relevant to your business.
Regulated by the Information Commissioner’s Office (ICO), the new law gives people more control about how their data is used, shared and stored, and requires organisations to be more accountable and transparent about how they use personal data.
However, according to the latest research from the Federation of Small Businesses (FSB), the UK’s small business community is still worryingly unprepared for the new data protection regulations.
The research shows that a 33% of small businesses have not started preparing for the introduction of the GDPR, while a further 35% are only in the early stages of preparations and only 8% of small businesses have completed their preparations.
With less than two months until the new regulation applies, every business needs to be ready so that they can remain fully compliant, whilst also avoiding significant penalties that could be issued.
The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.
What will change under the General Data Protection Regulation?
To guarantee privacy rights, the GDPR focuses on:
- Reinforcing individuals' rights
- Strengthening the EU internal market
- Ensuring stronger enforcement of the rules
- Streamlining international transfers of personal data
- Setting global data protection standards
The changes will give people more control over their personal data and make it easier to access. The new regulation is designed to make sure that every individual's personal information is protected – no matter where it is sent, processed or stored – even outside the EU, as may often be the case on the internet.
What are the main requirements of the regulation?
According to the ICO, all businesses and individuals who process personal information must comply with 8 principles of the Data Protection Regulation, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with individual rights
- Kept securely
- Not transferred to other countries without adequate protection
Make sure that your business is compliant
For businesses in the hospitality sector, the new regulation will have a huge impact, particularly as a large amount of personal information is held. Compliance with the new data protection law is therefore crucial to avoid fines and loss of revenue.
To prepare for the introduction of the GDPR, it is important that you are pro-active in the protection of data. This includes organising training for your employees, carrying out an audit of the personal data that you hold, appointing a Data Protection Officer (DPO) and reviewing your privacy notices and consent forms.
Finally, remember that your guests and customers will have increased rights, including the right to know what personal data is being stored and how it is processed.
It is vital that you get prepared and take appropriate action to ensure that your business meets the legal requirements of the new GDPR.