The General Data Protection Regulation (GDPR) comes into force on the 25th of this month.
Under the Regulation, businesses have a duty to keep individuals informed about the use of their personal data and about their legal rights concerning that data.
In addition, if you are doing business offline, which most businesses do in addition to online trading, you will need to be aware that GDPR and its information requirements apply in just the same way.
The right to be informed is one of the key parts of GDPR. This means that if you deal with consumers, you will need to inform them of the following:
- What personal data you hold about them
- What you use the data for
- The grounds for using the data
- How long you will hold the data
- Whether you intend to share the data, and with whom
You will also need to provide people with information about people’s rights, including the right of access and the right to withdraw consent, if that applies.
If you collect personal data directly from consumers, you should be informing them of all this at the time of collecting the data. If you collect the data through a third party, then you must inform the data subjects either when you first communicate with them; within a month or when you disclose the data to someone else, whichever occurs first.
You will need a privacy notice ready to provide to consumers. This notice will need to set out the required information in an easy to follow, user-friendly way. It will need to be designed specifically for use in situations where data is being collected offline rather than online through a website. This might be for example point of sale.
Your Data Protection Policy
If you already have a data protection policy then you will need to update it in line with GDPR. If you don’t already have one, now is the time to get one drafted.
It is vital that your entire organisation is aware of the rules involved in GDPR and how they should be handling personal data now that things have changed. Without a data protection policy, you have no proof that you have made any attempt to install procedures within your business for protecting personal data in line with the new Regulation.
Remember, we have discussed this before: fines for breaches of this Regulation are substantial to the point where they could devastate a business.
Time to Take Advice?
If you have not yet brought your business up to speed in readiness for GDPR, you really do need to get moving. Getting your policies in order is absolutely crucial if you are going to remain compliant, so either consult a lawyer or look online for good quality policy templates that you can adapt to your specific business needs.