The new rules on data protection under the GDPR affect how businesses gather, use and store personal data relating to customers, clients, contractors or other business contacts. Almost all businesses, however small or large, are likely to hold some personal data.
The GDPR draw on the principles of the current Data Protection Act 1998. This means if you are compliant under the previous rules, you are in a stronger position to build upon. That said, the penalties for non-compliance are much stricter under the GDPR so we recommend all organisations should review their data protection policies and practices.
Reviewing your practices
When carrying out this review, some general points you should consider include:
- What kind of information do you hold about your customers, clients, contractors and other business contacts? In particular, where did this data come from, when was it received, where is it stored and how is it used?
- What is your lawful basis for holding this information? Are your contracts and terms of business fit for purpose?
- Do your marketing practices and privacy notices comply with the new rules under the GDPR?
- Do you have the resources to comply with a request from a customer or client to view, move or delete his or her personal data?
- Do you understand and can you comply with the data protection obligations placed on you under the contracts you sign up to?
On each issue, the answer will depend on your type and size of business and your current practices. Our lawyers can give you pragmatic advice on the best course of action for your business.
