Unless you’ve been hiding in a cave for the last six months (or perhaps just haven’t noticed the recent influx of ‘update your preferences’ emails in your inbox) you’ll know that the General Data Protection Regulation (GDPR) is about to come into effect.
GDPR launches on 25th May 2018 as the replacement for the 1998 Data Protection Act, and aims to bring data privacy processes into the modern era of online business and social media.
If your business collects, stores or processes the personal data of EU citizens (and yes that includes British citizens both now and after Brexit), you will be affected by the new laws.
So, with the deadline looming - and potentially exorbitant penalties for non-compliance - we’ve put together a quick reminder of the main rule changes to make sure you have your house in order.
What GDPR will change - and how you need to respond
Primarily, GDPR aims to give customers greater control over their personal data, while encouraging more transparency from the businesses that hold it.
You can read a full guide to the regulations on the ICO website, but here are the main highlights:
Your business must have a ‘legal basis’ for storing and using an individual’s data…
Under the regulations, there are six possible lawful bases for processing data, but in most cases, your legal basis will likely be consent.
You’ll need to show that your customers or prospects have given you explicit consent for you to use their data, which is why so many businesses are now hurriedly sending out those opt-in emails to their subscriber bases.
Crucially, consent under GDPR requires a ‘positive opt-in’. Pre-ticked boxes or any other kind of default consent are not acceptable - so if that’s how you obtained your data in the first place, you’ll need to refresh your customer consents immediately.
Your business must document its data processes and procedures…
As well as gaining consent for the use of personal data, you’ll need to start documenting the way in which it is used in your business. It’s not sufficient simply to comply with GDPR - you need to be able to demonstrate your compliance at any given moment.
Under article 30 of the GDPR, most organisations are therefore required to maintain a record of data-processing activities, across categories such as data sharing and retention (though there are some exemptions in this area for small businesses with less than 250 employees).
You’ll also need to put written contracts in place with organisations that process personal data on your behalf, and you’ll need to establish a facility for recording and reporting any data breaches.
Your business must prepare for individuals’ enhanced rights…
Under existing Data Protection laws, individuals have the right to access the information you hold on them, and correct it as necessary. GDPR will go further, giving customers the right to have their data erased altogether in certain circumstances - known colloquially as the ‘right to be forgotten’.
At the point of collecting their data, you’ll need to share your purpose for processing the data, declare how long you’ll be keeping the data and state who it will be shared with. GDPR stipulates that this information must be ‘concise, transparent, intelligible, easily accessible, and it must use clear and plain language’.
What about the data you share with your accountant?
Like any business and any accountant, we are bound by the GDPR regulations too - so it’s our duty to ensure the data you share with us is safe, secure and used only in accordance with your permissions.
As a Xero partner however, we also recognise that we effectively invite you to share your personal data with them. Thankfully, you can rest assured that Xero is well ahead of the GDPR game.
Indeed, Xero has been busy implementing a range of measures ahead of the 25th May deadline, including making changes and improvements to the product itself.
If you’d like to know more about Xero’s approach to GDPR compliance, and how it keeps all your data safe and secure, just visit https://www.xero.com/uk/campaigns/xero-and-gdpr/
Read more of Inform's tax blogs: