On the 25 May 2018, the General Data Protection Regulation (GDPR) came into effect.

This means that all personal data will now be regulated under the stricter GDPR, meaning more stringent guidelines and procedures must be followed/adopted.

Following a number of extremely well-attended and engaging workshops, the NFDA continues to work with its members to meet the challenge of GDPR compliance.

If you need any assistance, please ring our dedicated GDPR helpline: 01788 538 304.

Summary of the key changes and impacts:

1. Collecting and using personal data
  • More stringent requirements, with all processes for collecting personal data to be reviewed.
  • Changes need to be made to privacy policies and any documentation detailing how an individual’s data is used – for example a consent form asking for personal data.
  • Clear, concise, direct language used to obtain consent.
  • New rights for people accessing their personal data.
2. Use of personal data for marketing purposes
  • Must have consent to send people electronic marketing.
  • Must have proof of how you obtained consent.
  • Consent must be obtained in accordance with the new GDPR requirements, even if that consent was obtained before GDPR implementation.
3. Data sharing arrangements
  • Must only use data processors that comply with GDPR.
  • The onus is on you as the user to ensure that the data processors comply.
  • This includes third parties such as, IT providers, cleaners or manufacturers.
  • If you use mailing lists from a third party, it is up to you to ensure that they are compliant and you have to prove and record your due diligence, including why you believe they are acceptable to use.
4. Demonstrating compliance and accountability
  • Must be able to demonstrate compliance with GDPR and explain and back up all decisions to the ICO.
  • Consider the need for a data compliance officer or other responsible individual to manage your data protection compliance.
  • Put in place measures to ensure that a record of the personal data processed in maintained.
  • Ensure adequate policies and procedures are in place relating to the collection of personal data.
  • New staff training required.
5. Data breaches and sanctions for non-compliance
  • It is mandatory that you notify the ICO of any data breaches and if necessary the data subject.
  • The new maximum level of fine is €20 million or 4% of total worldwide annual turnover (whichever is greater) for a personal data breach.
  • Depending on the levels of shares or benefits a director receives from a company, directors may also be liable to pay a fine if there is a breach.
  • Claimants who have had their personal data rights breached can also claim for damages.
  • Class actions can also be taken against a company for damages.