Hopefully anyone reading this knows that their company will need to comply with the EU General Data Protection Regulation coming in to force on 25th May 2018.
The fact that we have started Brexit negotiations and are now leaving the EU does not exempt UK businesses from this European ruling - despite many companies believing this to be the case. The fact is, any organisation, no matter what country they are based in, who deals with an EU company or citizen is subject to the new rulings.
The law is being implemented in an attempt to control the ever-increasing amounts of data being held by companies on individuals. Previous privacy laws are now hopelessly outdated in our internet age where data-profiling and big data is now the norm. As an intermediate, our job is to help clients capture meaningful delegate data through the registration process, so it’s very important that we achieve this whilst acting within the law. Given that the fine for non-compliance can be up to €20million, it is likely to bankrupt many companies who ignore it. Indeed fines against British companies under GDPR would have totalled £69million last year rather than the £880,500 the ICO imposed according to analysis by NCC Group.
Like many companies, Grass Roots have undertaken a review of our data handling, including the information we collect, and how we store it. We also scrutinised our registration processes checking that we had the necessary wording and consent procedures in place, as well as ensuring the delegate’s right to be forgotten. Finally we checked that we could provide all data in the necessary digital format if required.
I’m pleased to say our review confirmed that our data protection processes complied with GPDR requirements, although despite this we decided to make an employee formally responsible for ongoing compliance and providing the necessary training to our staff around the regulations. Privacy now needs to be at the heart of company thinking so it makes sense to me that all our staff from the top down embrace it.