What does GDPR mean for your business?
GDPR and the new Data Protection Act 2018 introduced a sea change for data privacy handling for all businesses. The journey you will experience depends much on your starting point for data handling and how your systems are set up.
The LH Group Difference
With the LH Group the difference in approach is clear from the start. We focus on your desired business results - we understand that for many businesses GDPR requirements were a retro fit to existing systems.
That means we examine your plans and create the map you will need to follow to embed GDPR and Data Protection into your business. We look at marketing, expansion, people and IT in a holistic way not just checking against a list of 'must dos'.
GDPR is not 'just' about IT, its about people, customers/clients, process, plans and the impact of system choices on your business. That is why we take a holistic and practical approach. Our consultants' many years of business experience, both in advising and running businesses shows in the care and value we can bring to your projects. Our action orientated approach cuts to the stuff that matters most to your continued business' health and creates a priority list for compliance - that's why from the start its vital you share your plans with us.
Should We Be Worried About Fines?
Fines are not the major threat of GDPR, the loss or damage to reputation is. The ICO (UK based businesses) have been clear that they want to work with businesses to get it right, not jump in with fines and penalties. Yes, the legislation has firmed up and there are more penalties in the Data Protection Act 2018 however these, as with all things legal, are last resort measures.
We help you avoid the fines and penalties by having robust systems and protections in place in your business. Processes that are easy to adopt and follow a logical step by step route in your plans and help you to train your people on all that is new that they need to adhere to.
All that we do is backed by a professional indemnity insurance policy with £2M of cover - we help firms globally reach their targets.
Ready to get some help? Get a QUOTE or chat to us on 01244 300413 today - initial advice is FREE and without obligation
GDPR and Data Protection Changes in 2018
Changes to the Definition of ‘Processing’
Processing means the collection, collation, storage, retrieval, application and destruction of personal data. It's a wide ranging definition too, anything that can on its own or in connection with other data can identify a natural living person.
It’s always important to remember, particularly when we’re almost all computer dependent, that personal data isn’t restricted to electronic data but includes anything which forms part of a data system. This means that your paper files should also fall under your scrutiny when you are considering your compliance position.
Sensitive Personal Data
Under the GDPR sensitive personal data is regarded as
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings
(i) Genetic data
(j) Biometric data
S0 the part of GDPR which deals with ‘Processing’ (the term used in the legislation) sensitive personal data needs to be considered, allergies and skin complaints recorded by a hairdresser or beautician will be covered in the same way as a health professional needs to.
GDPR means that the definition of personal data will now include information which can identify an individual.
However, there will be cause for concern amongst organisations that process any data that is designed to identify an individual by IP Address, software cookies, an identification number (think, for example, about mobile phone numbers) or any other online identifier or relating to identifying the location of an individual (as may be applied to augmented reality services, loyalty apps, loyalty cards and free wifi in public spaces).
Exceptions to Stringent Data Control
There are some exceptions when datasets can be pseudonymised (altered in such a way so as to protect the identity of an individual unless a decryption key is used), but the requirements for the security of the key are the same as those which would be required for the data were they not pseudonymised. On the upside, this does enable organisations which deal with large datasets to make those data accessible by members of staff – for example research teams – without those staff members having ready access to individual identifiers.
Whether you Welcome it or not
GDPR is a big topic and there are some who think that it will go away after Brexit, so they’ll only have to keep their heads below the parapet for a year and it will all be over.
That’s neither a practical nor advisable approach.
Time for some practitioner led, pragmatic advice? Talk to us on 01244 300413 or email firstname.lastname@example.org