As of 25th May 2018, the General Data Protection Regulation (GDPR) was enforced in accordance with the European Union (EU) requirements, it is a regulation that impacts all shape and size of businesses in Belfast and Northern Ireland. From sole proprietary to the multi-billion pounds organizations as they will all need to comply with the same requirements of the GDPR Northern Ireland regulation. So let’s first get to know a bit about the legislation to help understand how it applies to small businesses, and quick tips on implementing its tenets.
The Principles of GDPR
First, there are two important principles that drive the basis of the GDPR requirements:
- It aims to empower residents and citizens of the EU and Northern Ireland to access and control their own personal data.
- It aims to standardize the regulations for all organizations to conduct business internationally across the EU.
Also, an important note to remember is that the rules under GDPR compliance are not only applicable to businesses established within any EU country, but in some circumstances also for those organizations that handle data of citizens living within the EU, but established outside of it. As the primary focus is on the data of all EU citizens.
GDPR in Northern Ireland after Brexit?
An issue specific more to GDPR Northern Ireland (and the UK) is Brexit and what is to come post-Europe. And while the GDPR regulation was obviously enforced before Brexit, and it should not be assumed that post-Brexit businesses in Northern Ireland can cease to comply with the regulation. As it has been decided that the United Kingdom will incorporate a mirror copy of this regulation in its laws as part of a proposed “Data Protection Act”. However, even if this does change, it will make no difference to businesses dealing with data of citizens in Ireland or elsewhere in the EU.
GDPR is applicable to all businesses in Belfast and Northern Ireland that process personal information of any EU citizen. This includes businesses with lesser than 250 employees or just small businesses in short.
If the size of your organization is small, but it handles the processing of large volumes of “special category data” on a regular basis, then you are required to employ a Data Protection Officer (DPO).
This rule also applies to businesses in Belfast Northern Ireland of any size that handle regular or systematic monitoring of extensive personal data on a large scale.
It is the responsibility of the DPO to ensure the requirements set under the GDPR are always complied with. The DPO will also be the point of contact for data protection enquiries made by any authorised person or organization.
Importance of GDPR Compliance
Should an organization encounter any serious data breaches, due to which the rights of the individuals may be impacted, have to be reported to the appropriate regulator. In case of UK, it is the Information Commissioner’s Office (ICO). This procedure must be executed preferably within 24 hours of the breach taking place or being identified. But it should be done no later than 72 hours. A detailed report containing details of how the breach occurred, its extent, how the breach is being contained, and what remediation steps have been taken by the organization.
Under this regulation, even private individuals will have increased rights on how businesses can utilize their personal information. For example, an individual can exert his “right to be forgotten” which means that you are obligated to stop processing all their information immediately unless you have any other legal reason to do so. So if a person was your customer but is no longer one, your contract with him comes to an end and you cannot retain any information about him.
Should a business be found guilty of not complying with the rules set under the GDPR, there are severe punishments meted out. In older days, the ICO could fine up to just 500,000 pounds. But under GDPR, the fine can go up to 20 million Euros too, or 4% of the annual turnover of a business, whichever is higher. Some high-profile businesses here.
GDPR Checklist for Small Businesses
Before you go about adhering to the points listed in the below checklist, do remember that you must also include past and current employees, supplier, and customers. If personal data of any other entity, individual or otherwise, is being collected, records or stored, and used in any manner, then all such data comes under the purview of this regulation.
What is Personal Data?
Familiarize yourself with the data and types of data being collected. You need to understand that there are separate rules applicable for personal data (name, address, date of birth, email address, bank details, IP addresses, photographs) and sensitive data (health information or religious views). You must also understand how your organization goes about obtaining such data, if they are being disclosed in any manner, and how your organization uses it.
Consent to Use Data
Check if you are using a person’s consent to process their data, via emails for marketing, for example. Such activities are scrutinized more carefully under GDPR because it requires any consent to be explicit, clear, and specific. So use consent only if you have to.
Give “fair processing notices” to your customers so they know why you are collecting their personal information and how you intend on using it. Being transparent saves you a lot of hassle with customers and regulators alike.
It is best to use good and reliable data security measures (we can help here) that are also GDPR compliant. One good example is to use an excellent encryption tool that will go a long way in avoiding data breaches and big penalties to regulatory bodies.
Get to know the timeframes in which you need to handle accesses requests from individuals. Extensions are provided only under very specific mitigation situations. There are four main categories of Subject Access Requests, and each has a different timeframe.
Educate a small team of employees in your organization to recognize and handle data breaches in the best possible manner for your organization and the affected individual(s). This should be done no later than 72 hours of the breach. The easiest way for them to report such issues is to contact your in-house DPO, as he/she would know what the next steps in this process would be.
IT Support for GDPR Northern Ireland
There will always be other issues to consider such as permissions of access, the need to rectify incorrect data, and circumstances where it is necessary to erase any data. And there will continue to be new and amended legislation to consider in the future. So it is always best to err on the side of caution.
If you’re still wondering whether your business should comply with the GDPR in Belfast and what IT Support we can offer for GDPR Northern Ireland feel free to get in touch for free advice at Wilson Computers. Check our services here.