On May 25th, 2018, the General Data Protection Regulation will come into force in the UK. General Data Protection Regulation, also known as GDPR, is an EU regulation designed to offer higher levels of protection for people’s personal data.

In the UK most businesses including events venues in London, like us at 8 Northumberland Avenue, will need to make some changes to the way personal data is collected and stored. We’ve put together some information to help you understand GDPR and how it will affect your business:

GDPR Background

Data protection legislation was last updated in the UK in 1998, with the Data Protection Act. Almost 20 years of technological advances mean that the Act is largely out of date, and the GDPR is set to replace it.

UK businesses will need to comply with the new regulations for two reasons. Firstly, the UK is unlikely to be separated from the EU by the time the legislation is put into action and consequently, will be bound by it. Secondly, any business that aims to collect personal data from individuals in the EU, or use internet monitoring of individuals in the EU, will need to comply regardless of where they are based.

What should businesses do to comply?

Appoint a Data Protection Officer (DPO)

If your business gives, receives or possesses personal data, you’ll need to appoint a DPO to oversee the secure handling of this information. A DPO can be an employee of your business, or the role can be outsourced to a third party. If your IT needs are already outsourced, you could discuss the additional responsibilities with your provider.

Update T&Cs and privacy policies

It’s likely that your standard agreements such as terms and conditions, or privacy policies will need to be updated to ensure they reflect the GDPR requirements. Speak to the team that helped create your original agreements – they may be specialising in these adjustments in the lead up to the deadline.

Assess internal policies

Thoroughly review your internal data security policies to make sure they are compliant with the new regulations. Review HR policies, general IT policies, and any policies tailored to individuals or businesses.

How much work needs to be done on internal policies in order to meet the new rules, will vary greatly from business to business. An events venue in London, for example, will have very different data management needs compared to a finance broker or retailer with a loyalty card program.

What happens if a business doesn’t meet the regulations?

While it’s unclear how the regulation will be enforced, breaches can lead to fines that total 4% of global turnover, or €20 million; whichever is greater. This could lead a business to insolvency.

It’s critical that businesses gain a thorough grasp of these new requirements. While some segments of the GDPR are similar to the current Act, some changes may make currently held data unusable. It is very easy to underestimate how much time it will take to review and update legal agreements and internal policies. May 2018 is less than a year away, so it’s best to act swiftly.