GDPR – General Data Protection RegulationWhat is the GDPR?The GDPR is the most significant change to data protection law for 20 years. It is intended to bring data protection into the modern world, reflecting the ubiquity of digital processing and storage.

When will the GPPR come into force?25th May 2018

Will it affect my business?In a word, yes. The GDPR covers all processing of personal data. If you store or process peoples’ personal details, which can be anything from their names, to financial details, to medical conditions, then the GDPR will have an impact on you. What are the main changes I will need to make?This will depend on your data processes at the moment. If you are already following best practice you may not need to change very much. The first step is mapping what data you hold and being able to justify it. You may also need to make changes to your data security systems, disclosure and breach processes.

When can I process personal information?The GDPR offers six lawful bases for processing personal information. These are the only justifications for dong so. They are:

• necessary to enter into or to perform a contract, • necessary for compliance with a legal obligation, • necessary to protect ‘vital interests’, • necessary for the public interest, • necessary for a legitimate interest, • with the consent of the data subject. The ICO says that consent should generally be considered the last resort, if no other justification applies.

Does the GPPR affect how long I should keep data for?No. Your mandatory data retention periods are unchanged.

How should I store personal data, what if I need to send it to third parties?Make sure any data you are storing sending is secured, for example by encryption. You should have agreements in place with any third parties detailing how your data will be handled. You can find the ICO’s data sharing code of practice here:www.ico.org.uk/media/for-organisations/documents/1068/data_sharing_code_of_practice.pdf

What else do I need to consider?The GDPR gives individuals particular rights to their data:• The right to be informed• The right of access• The right of rectification, erasure and to restrict processing• The right to data portability• The right to object• The right not to be subject to automated decision-making

You need to make sure you have processes in place that these rights can be exercised.

Should I handle children’s data differently?That depends how you handle it now. Children’s data is treated as especially sensitive under the GDPR, and you should certainly make sure you are not holding more than is absolutely necessary. You should also make sure your privacy statements explain what data you will keep on children and why you need to.

The ICO is currently consulting on guidance for handling children’s data. www.ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/children-and-the-gdpr-guidance/

Where can I find out more?Information Commissioner’s OfficeThe Information Commissioner’s Office will be publishing detailed guidance in due course, and there is already a lot of helpful information on their website:www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Small business helplineThe ICO has set up a helpline for small businesses to ask questions about how the GDPR will impact them. You can call 0303 123 1113 (option 4) to learn more. FlickIf you are a Morton Michel policyholder then you have free access to online training from flick learning. There you can access data protection training resources, including a course on the GDPR.

DisclaimerThis leaflet is provided for information purposes and although every effort has been made to ensure it is correct at the time of publishing it should not be considered to be legal advice. All businesses will have different data protection requirements. You are responsible for ensuring that your business complies with relevant laws and if you are uncertain you should seek specialist independent advice.