BEB Contract and Legal Services have been working with many clients from all different industries including IT, recruitment, digital marketing, trades and estate agents to ensure they are GDPR ready for the 25 May deadline.
Here is a list of the firm’s exclusive GDPR facts:
- Businesses have until 25 May 2018 to prepare.
- Personal data as a definition has become wider – so any information that can directly or indirectly identify a person is now considered as personal data.
- These principles must apply if you are handing person data – processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purpose; adequate, relevant and limited to what is necessary; accurate and kept up-to-date; kept for no longer than is necessary in relation to the purposes for which it was collected; processed in a manner that ensures appropriate security.
- Consent is not the ONLY way to process data lawfully, you can rely on legitimate interests and meeting a contractual marketing, or to pass their details on. Organisations will need to be able to demonstrate that consent was knowingly and freely given, clear and specific, and should keep clear records of consent.
- Pre-ticked boxes are a big no-no and prospects must actively opt-in ANY future marketing.
- Individuals now have more rights – the right the be informed; right of access; right of rectification; right to erasure; right to restrict processing; right to data portability; right to object; rights with respect to automated decision-making and profiling.
- All emails containing personal data must be encrypted plus other data protection measures.
- If you are transferring personal data to a country outside the EEA they must also comply.
- All personal data breaches must be reported within 72 hours to the ICO.
- The fines are HUGE for non-compliance: EU€10million or 2% of your annual turnover, whichever is higher – for not keeping proper records, violating data breach requirements and more; EU€20million or 4% of your annual turnover, whichever is higher – for violating basic processing, ignoring individual’s rights, incorrectly transferring personal data and more.