GDPR is the new personal data protection legislation that came into force on 25 May 2018. Almost all businesses in Ireland will be affected by GDPR. Here are eight things you need to know about these new data protection laws.
1. GDPR is Complex
The could be said about a lot of legislation affecting your business, particularly when new regulations are so wide-reaching (which GDPR is). What makes GDPR particularly complex, however, is that, in some areas, it is currently open to interpretation. In other words, the law is evolving in terms of the specific actions you must take.
2. It is Important to Understand What GDPR is About
The spirit of GDPR is that each person in the EU is in control of their personal data. Some of the implications of this include:
- Individuals can decide who has access to their personal data, including their email address
- When giving consent for an organisation to hold or process personal data, that consent must be informed
- Individuals have the right to request information on the data you hold about them as well as rights to ask you change or delete their data
3. GDPR Covers All Data, All Companies, and Everyone
GDPR applies to everyone in the EU. It will also apply in the UK, even though the UK is leaving the EU.
GDPR also covers all data. This includes marketing data such as email lists. It also includes:
- Customer data
- Employee data including things like payslips, sick notes, holiday requests, and more
- HR data, particularly CVs and job application forms of both successful and unsuccessful applicants
- Supplier data
- And any other personal data you hold, use, or have access to
4. You Should do a Data Audit
A good starting point for most businesses is to do an audit of data. This includes:
- Identifying the personal data you hold on individuals
- Understanding how you came into possession of that data
- Deciding whether you need the data any longer and whether your need for it is consistent with GDPR
- Identifying gaps in your policies and procedures that you will need to correct
5. Securely Delete Data You Don’t Need
One of the important principles of GDPR is that you should only keep personal data that your business needs, and that you only keep it for as long as you need it.
6. Make Sure the Data You Store Is Secure
Check who has access to personal data in your business and analyse how easy it would be for an unauthorised person to gain access. For example, do you hold customer or employee data on a server that is not secure? Are paper-based employee records in an unlocked filing cabinet in an unlocked room?
7. Train Your Team
It is important that everyone on your team who has access to personal data is aware of GDPR and the importance of protecting data.
8. Give Someone in Your Business Responsibility for Data Protection
Making one person responsible will ensure you have a coordinated approach to the protection of personal data.
For more help an advice with your business, please contact a member of the Gilroy Gannon team today.