The EU act, which was made statute in May last year, sets out rules designed to increase privacy and give citizens more control over their personal data – but many businesses are still confused as to what the regulations mean.
Thomas Newlyn, an Associate Solicitor at Tunbridge Wells’ lawyers CooperBurnett, which is based in Mount Pleasant Road, said one year on his firm is still getting calls from businesses, organisations and charities about it.
“There has been a lot of noise recently about the massive fines handed out for data breaches, and I think that has made people sit up a bit,” he said.
While smaller organisations are not going face the punitive fines handed out to businesses such as British Airways, which last month was forced to pay £183million for GDPR breaches, he added that it could still be costly to local organisations.
“Even if the fine is just a couple of thousand pounds, that is still significant for some businesses, and while it is a pain to deal with GDPR, a bit of investment now could be invaluable,” added Mr Newlyn.
He explained that the three key documents organisations need to have on their websites are a privacy policy, terms and conditions, as well as a written agreement on data processing.
He said: “A privacy policy sets out the information that the GDPR specifies you need to tell individuals when your business is collecting personal data from them. Your business’s standard terms and conditions need regular review to ensure they take account of business changes undertaken or legislative changes.”
And finally, he explained that whenever a data controller uses a data processor, there must be a written agreement in place, and the GDPR sets out what should be in such an agreement.
“The agreement should include the subject matter of the processing, its nature and purpose, its duration, the controller’s obligations and rights, the types of personal data and the categories of data subject,” he said.
But he added: “Remember, this all counts for very little if you are not following through on your written words and are not actually doing what you say you are in your GDPR documents.”
