Impending rule changes governing the way that businesses manage and store customers’ personal data come into force on 25th May 2018. Now is the time to prepare.
Called the General Data Protection Regulation (GDPR), this new legal framework is the biggest change to data privacy legislation in over two decades, according to audit, tax and consulting firm, RSM. They, and others, are urging workshops to complete their preparation now. Failure to comply with the new rules could see garages facing significant financial penalties and damage to their reputation. For example, very large businesses with a serious breach could currently receive a maximum fine of around £500,000. This rises to a theoretical maximum of £17million, or 4% of global annual turnover, under GDPR.
WHY HAS THIS COME INTO FORCE?
Steve Snaith, Technology Risk Assurance (TRA) Partner at RSM, explains, “In a growing digital economy, where data can be collected and stored within seconds, there is more risk of cyber security breaches, which was highlighted by the recent WannaCry ransomware attack. Therefore it’s increasingly more important to make sure clear processes and safeguards are put in place to protect both clients and companies.”
Steve adds that, although GDPR is a welcome attempt to curb growing fears around how companies use and manage personal information, the new framework, “will drastically affect the future of stored personal data and increase company accountability.”
The GDPR places greater emphasis on the documentation businesses must keep to demonstrate their accountability. Compliance with all the areas listed in this document will require organisations to review their approach to how they manage data protection. One aspect of this might be to review the contracts and other arrangements you have in place when sharing data with other businesses with whom you work. Do you share customer details with a mobile smart repairer, main dealer, diagnostics specialist, or valeter perhaps?
TYPES OF PERSONAL DATA
Like the Data Protection Act (DPA), the GDPR applies to ‘personal data’. However, it has a broader definition of what constitutes personal data, reflecting changes in technology. Information such as an online identifier – for example, an IP address – can be personal data.
For most workshop businesses, keeping HR records, customer lists, or contact details, the change to the definition of personal data should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
However, the GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records or job cards, containing personal data.
SO, WHAT DO YOU NEED TO DO?
Small business have access to a dedicated advice line. To access the new service dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support. As well as advice on preparing for the General Data Protection Regulation, callers can also ask questions about current data protection rules and other legislation regulated by the ICO, including electronic marketing and Freedom of Information.
The rules are different depending on the size of the organisation. Only the largest businesses (over 250 employees) need to implement all of the steps. For most workshops, the following are the key steps:
1 – Identify what types of personal data you collect, store and manage
2 – Review whether the information you keep meets data protection and GDPR requirements
3 – Review how you seek, record and manage consent to storing and, if relevant, sharing data
4 – Ensure the same from any third party contractors or business partners
The Information Commissioner’s Office (ICO) website will be updated as new information is available. Already the site has some useful information, including a ‘12 Steps to Take Now’ document and a ‘What to Do Next’ tool.
The Government has confirmed its plans to introduce a Data Protection Bill into Parliament. This should become law in 2018, replacing the current Act.
Visit https://ico.org.uk to find out more and stay up to date.