Barely a day goes by without a breach of sensitive data hitting the news. The General Data Protection Regulation (GDPR) is coming in on May 25 and the new rules are a response to the explosion in the use and misuse of personal information that regulators have so far struggled to get a handle on. The GDPR will have major implications for most businesses in the timber trade on the way they manage their data.
Many companies in our sector keep personal and customer information and this is often shared with third parties. This puts them at high risk if they don’t know when to ask for data consent or don’t have adequate data control procedures or policies in place, particularly in the event of a data breach.
The new rules should not mean a bonfi re of employee data or contact lists, but they will require your business to map out which parts of the GDPR will impact on it and put new measures in place if necessary.
The obligations should help protect sensitive data and guard against complacency over data breaches but there will be major consequences for ignoring them. The Information Commissioners’ Offi ce (ICO) can take action against organisations and individuals that break data protection rules. These include criminal prosecution, non-criminal enforcement and monetary penalty notices.
Under the GDPR, the ICO will be able to impose fi nes of up to €20m or 4% of group annual turnover (whichever is greater).
Risk and accountability are at the forefront of the new rules, which focus heavily on personal data and include a number of data rights for individuals such as the ‘right of access’ and the ‘right to restrict processing’. These are not only relevant for customers and potential customers but also for company employees.
Under the Data Protection Act 1998 workers already have a legal right to access information that an employer may hold on them. This could include information regarding any grievances or disciplinary action, or information obtained through monitoring processes.
Employers can seek to collect information regarding an employee’s health if the employee freely gives consent but this needs to be justifi ed and once collected should be held securely and for no longer than necessary.
There is already a lot of information out there on the GDPR, which is why the BWF is offering something more than a ‘one-size-fi ts-all’ approach to its members and is providing support to ensure that they don’t have to break stride to become compliant.
In our ‘Countdown to the GDPR’ guide we have provided specifi c guidance on what the new rules will mean, including FAQs and a GDPR compliance checklist (www.bwf.org.uk/toolkit/gdpr).
We all keep and collect information within the course of business, and we have the responsibility to look after this and justify why we are doing so. The new rules will in turn protect our information and serve as a wake-up call to unscrupulous businesses or companies whose philosophy is to hope for the best.
As an aside, if your business processes any personal information electronically and decides how that information is processed, then it may already need to be registered with the ICO. This is relatively simple – there is a very small fee required for SMEs – but if you haven’t done it already, we recommend you do so now.