The events industry depends upon sharing and handling of data. This data includes subscriber lists, visitor/exhibitor data, etc, and ensuring the events industry and companies that work in the industry is complaint has never been so important as now.
General Data Protection Regulation (GDPR) comes into force in three months’ time on the 25th May 2018, and represents a significant modernisation of data protection law and one that takes into account significant new developments in technology and new uses of personnel data that simply did not exist at the time of the current legislation, the Data Protection Act 1998. Now is the time to start tackling data protection. Keen to ensure we protect our client’s and supplier’s personnel data and protect our company as much as possible, Display Revolution have put in practices that ensure 100% compliance.
The GDPR brings with it many changes and improvements to Data Protection Law including:
- Enhanced documentation and record-keeping requirements
- Enhanced privacy notice (or “fair processing notice”) requirements
- Stricter rules on consent to data processing
- A new mandatory requirement to notify the ICO (and data subjects in certain cases) of a data breach
- Enhanced rights for data subjects
- New obligations for data processors
- New rules requiring the appointment of Data Protection Officers
- New, tougher penalties for failure to comply with the law.
For individuals, GDPR sees the introduction of new rights, individuals will have greater control over the data businesses hold on them, what data may be retained – including a say on when it should be deleted or transferred to other parties.
For businesses, one of the biggest wake up involves ensuring that individuals are able to exercise those rights. For many businesses, this will involve taking a long firm look at how consent is obtained for certain data processing activities. It also involves an ongoing review of technical and organisational measures to protect personal data.
For businesses based outside of the EU they will need to comply with GDPR if they process, manage or store personal data related to data subjects in EU, or if they process personal data on behalf of EU businesses.
So, no matter where you are based, if you do business in or with people and organisations in the EU, you need to ensure GDPR compliance, because if you don’t you could be in breach and be heading for a weighty fine which is up to 4% of global turnover or EUR 20 million, whichever is the greater.
Here are a few ways you can prepare your business for GDPR-
- Build understanding. Ensure that decision makers and key staff are aware that the law is changing. All individuals involved in the GDPR-readiness project should be aware of their responsibilities – ensure staff awareness and training is set out so they know what they need to do and when.
- Map your data. Having the right tools in place to discover what data you hold, manage the data you hold, protect the data you hold and store the data you hold is vitally important for GDPR compliance
- Consider designating a Data Protection Officer. Decide who will take responsibility for compliance and where this role will sit within your organisational structure. For many businesses, this will involve formally designating a Data Protection Officer within the company.
- Review your security breach prevention procedures. This will involve a security audit to ensure that the data protection measures you have in place are adequate. Make sure you have the right procedures in place to discover, respond to and report breaches in accordance with the Regulation.
- Review and refresh your consent procedure. Look at how you obtain, record and manage consent. Consider whether any changes will be needed to your existing procedures in good time for GDPR implementation. The same applies to your current privacy notices.
- Do you facilitate the ability of individuals to exercise their rights? If a customer asks for a copy of the data you hold on them, will you be able to provide it? What happens if someone asks you to delete or transfer their data to another party? Review your framework and procedures to confirm that if you receive such requests, you can comply.
How GDPR in detail affects you depends on the nature of your processing activities, but regardless of the size and shape of your business, chances are high you are in range.
If you are not sure whether GDPR applies to you, best is to assume that it does!
Companies out there still using excel spreadsheets to store individual’s personnel information – could be in a predicament. It’s imperative that you act now and make the necessary changes before the 25th May 2018. For more information on GDPR go to this page