The EU General Data Protection Regulations (GDPR) will come into force in Northern Ireland on 25th May 2018, and as the biggest shake up in data protection since the Data Protection Act 1998, there are a lot of changes ahead which companies of all sizes will need to adhere to. As the fines for not being GDPR-compliant are significant (up to €20 million, or 4% annual global turnover – whichever is higher), naturally many companies are wondering what they need to do in order to get ready for GDPR and ensure they are operating within the law. Here are a few essential steps to help you work towards compliance.
1. Ensure your staff are prepped to deal with questions
If a customer asks to know what information is held about them, your staff need to be prepared to answer straight away – and justify why this information is being held. Similarly, if you hold employee information and an employee asks about this, you’ll need to be able to answer. It is highly likely that all your staff will require some level of GDPR training in order to understand the reasons behind it and the consequences of complying.
2. Do an information audit
Identify what type of data you hold and why. Find out where the data comes from and who you share it with. Take some time to review your current data protection policies, codes of conduct, website messages and sign up permissions regarding privacy of information and opt ins to ensure you are compliant with GDPR principles.
3. Review your Service Providers contracts to ensure they are GDPR compliant also
This legislation impacts everyone you do business with or who does business with you, so make sure the suppliers you choose to work with are also making provisions for these legislative changes too.
4. Put in place procedures for deleting personal data
If a customer or employee contacts you and asks for the ‘right to be forgotten’, you need to have a process in place which deletes this personal information where it is no longer necessary for you to hold in relation to the purpose for which is was originally collected. Obviously, there will be some legal exemptions in this case where it is not possible to delete certain data.
5. Protect the data that you have
You will have to have systems in place which will detect, report and investigate any data breaches. It is your responsibility to ensure that the data you store about suppliers, employees and customers is held in a safe place.
6. How do people consent to receiving information from you?
This is especially important for customer engagement and marketing purposes – you will need to seek, obtain and record consent if you wish to engage in future communications.
This is a complex area of the law, and there is a lot of guidance and information available from UK-based sites which can be confusing for Northern Ireland companies, as the legislative framework in Northern Ireland is very different to the rest of the UK. If in doubt about what you need to do, we would advise that you seek legal advice and follow the steps provided by NIBusinessInfo.co.uk where can you find more up to date information and resources.
Harry McPartland & Sons Solicitors in Lurgan and Lisburn are on hand to provide you with advice and legal services on all areas of the law. If you have questions about anything from employment law to licensing to conveyancing questions, give us a call or contact us at info@mcpartlands.com