From May 2018 onwards, the General Data Protection Regulation (GDPR) will apply in the UK.
For businesses who rely on cloud management services which involve personal data, action must be taken to ensure that they meet the regulation. Failure to do so will result in significant fines of 20 million euros or 4% of your overall turnover.
How does GDPR work?
The General Data Protection Regulation comes with some very strict rules about how you handle data.
“Any personal data whatsoever that you may happen to be holding on a customer, employee or candidate falls within the remit of GDPR and you must have the explicit consent from the subject of the data to legally hold that data. This means that you need to make sure every last piece of data in your CRM has an explicit consent attached to it before you can use it, or you have to delete the record.” – Nasstar, 2017 http://blog.nasstar.com/general-data-protection-regulation-guide/
Records must be deleted if asked by candidates, employees or customers under the ‘right to be forgotten’ principle. You will have seven days to delete the data and failure to do so can result in fines or data audits.
Any data that you hold must be given to you by candidates, customers or employees, which means that you will not be able to share data freely amongst organisations or sell to third party brokers.
The customer, employee or candidate will have full right to see a copy of their data if they ask for it.
How does it impact my business?
You will need to ensure that you have effective security measures in place when designing your CRM, internal processes and business platform. Failure to implement efficient security processes will result in a breach of GDPR regulations. This is meant to improve security globally with the ever-increasing threat of cyberattacks.
If you are breached by a cyberattack, you must report this to the Information Commissioner within 72 hours as well as all affected individuals or you will face a fine. By law, you must notify this to all affected individuals and parties.
You will also need to employ a Data Protection Officer to internally regulate the use of data within your organisation.
What do I need to do?
- Understand how GDPR affects your business.
- Carry out a data flow audit to help locate the sources of your data.
- Review and update your procedures and policies to achieve compliance with the GDPR.