Getting your joinery business ready for the General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is coming in on May 25th 2018 and this will have implications for most businesses. BWF is providing bespoke guidance for members on what it will mean for joinery businesses, especially in terms of the data they keep on their customers or potential customers and the level of consent needed to make contact them.
So what will the GDPR mean for your business?
A lot of joinery and woodworking businesses keep personal and customer information and this is often shared with third parties. This puts them at high risk, especially if they don’t know when to ask for data consent, hang on to data which isn't relevant to their business or don’t have any adequate data control procedures or policies in place. This is particularly important in the event of a data breach. Under the GDPR, data breaches must be notified to the Information Commissioner's Office (ICO), normally within 72 hours.
The new rules will bring stricter obligations that all employers must follow. This should not mean a bonfire of employee data or contact lists, but they will require companies to map out which parts of the GDPR will impact their business and address this.
**BWF has provided guidance and FAQs to help you comply with the new data protection rules. Follow the link to log in and download our Countdown to the GDPR: What your joinery business should be doing presentation.**
The ICO should be your next port of call as it provides some overview guidance that BWF has incorporated into its own advice. Here you can view an overview of the regulation and a checklist of 12 steps you can take to get ready.
What are the penalties for breaking data protection rules?
There are a currently number of tools available to the ICO to take action against organisations and individuals that break the rules in terms of collecting, using and keeping personal information. These include criminal prosecution, non-criminal enforcement and the issuing monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act. Under the GDPR, the ICO will now be able to impose fines of up to 20 million Euros or 4% of group annual turnover (whichever is greater).
Are you registered with the ICO?
If your joinery business processes any personal information electronically and decides how that information is processed, then you'll already probably need to be registered with the ICO under the Data Protection Act. This is relatively simple – there is a very small fee required for SMEs - but if you haven’t done it already, we recommend you do so now using this link.
What are the current data protection rules?
The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. Until then the Data Protection Act 1998 still applies. The Data Protection Act is concerned with respecting the rights of individuals when processing their personal information. ACAS advise that this can be achieved by being open and honest with employees about the use of information about them and by following good data handling procedures. The act is mandatory and all organisations that hold or process personal data must comply.
All staff have a responsibilities under the Act to ensure that their activities comply with the Data Protection Principles. Line managers have responsibility for the type of personal data they collect and how they use it. Staff should not disclose personal data outside the organisation's procedures, or use personal data held on others for their own purposes.
Data protection for employees
The rules on employee data protection will be strengthened when the GDPR comes in. At the moment workers have a legal right to access information that an employer may hold on them through the Data Protection Act. This could include information regarding any grievances or disciplinary action, or information obtained through monitoring processes.
ACAS advise that the Data Protection Act will apply if employers are monitoring employees; for example to detect crime or excessive private use of e-mails, internet use etc. However, the act requires that workers should be aware of the nature and reason for any monitoring.
Employers can seek to collect information regarding an employee's health if the employee freely gives consent. Employers should consider why they need the information and exactly what information is needed. This information once collected should be held securely, this could be allowing only one or two people access to the information or by password protecting it. Employers should check that the information collected can be justified.
Not a BWF member but thinking of joining? Use this quick response form to provide us with some contact details. We will send you an email to confirm your interest and then one of our experienced membership team will be in touch to complete the membership process.