Are you ready for the new data protection regulations?
Anyone in business knows that there are a huge number of things to remember such as sales, invoicing, payroll and there are all the red tape regulations to remain legally compliant. On May 28 2018 there is a new one to consider too as the new GDPR data protection legislation comes into force.
At UKVending we want our customers to be fully up to date with what this means both for us and you our customers.
The first thing to note that data protection is an important part of protecting individuals and companies identities, copyrights and reputations. Therefore we take our responsibilities in this matter very seriously.
Some new amendments to your system are required. As a basic guide we suggest the following:
- The right to be forgotten. If any individual requests to be removed from your system we must do so and provide evidence if you request it. This occasionally causes problems in some system where you cannot just simply delete the client details, due to them being linked to tickets and invoices. We will, where possible, build in the ability to make these details anonymous. With this functionality we will be able to remove all the details by having them replaced with “XXXX”. This keeps the system intact and also allows us to show to the individual a before and after scenario to prove the data has been removed successfully.
- The right to store data. GDPR states that you need to be able to prove you have “active” consent from any individual that you are storing their data, its use and the time period it will be stored for. We are not allowed to for example record someone’s address so that we can attend a repair and then use that address for doing a mailshot. Therefore we really need the ability within the system to show that you have consent if we use this for sales purposes and the ability for the user to remove themselves from that consent. So, they may be happy for us to store their details but not to mailshot them. We obviously need to store certain details for other legal and business functions, these will be listed in our terms and conditions.
- There is now the requirement for us to notify anyone whose information we hold if there is a suspected breach of your data. So for example if the online system is compromised or a disgruntled ex-employee removes data without permission, we are duty bound to notify any effected individuals that their data maybe at risk.The approach to this needs to be a 2 pointed one, first sufficient measures such as strong passwords, two factor login authorisation and encryption will be used. This limits your exposure in the event of a breach or attempted breach. We will also have a written policy that documents the actions taken in the event of a reported or suspected breach.
This notification will be made within 72 hours of the report.
- Lastly we will appoint a person as a DCO (Data Compliance Officer) who will be the first point of contact and person responsible for the above notifications and policies in place. So as an example if we noticed some suspicious activity on your system this is the person who we would need to report to and who would action the right to be forgotten and so on.
There are quite a few other areas that we would need to address but the above should give you an indication on what the GDPR represents and enforces, it will be effecting companies large and small in all different ways and to different depths with many larger organisations requiring companies that they work with, to also be GDPR compliant. With possible fines of up to 20 Million euro or 4% of your global turnover, it is something that needs to be taken seriously.
For any other information in the GDPR, the official website is here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/