Ask The Legal Expert: The Effect Of GDPR In Rural Business
- AuthorRory Hutchings
Rory Hutchings, JCP Director and Head of the Rural Practice Team, shares his insight on just how far the new rules and regulations on data protection extend in the agricultural industry.
I run a livestock farm with a handful of employees and additional seasonal staff. I don’t handle vast amounts of personal data. How concerned should I be about the new data protection regulations?
The EU’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and it will apply to organisations that process, store or transmit personal data belonging to EU residents. At first glance it doesn’t look like this would be relevant to agriculture but farming businesses fall within the ambit of the new rules.
During the course of your business you will, I’m sure, deal with third party suppliers and contractors and you will hold some personal data on them. You will certainly hold personal data of your employees, so, it is vital you make preparations now to avoid a potential fine later.
The principle at play is that personal data must be kept securely to protect it from unauthorised or unlawful processing, or accidental loss, destruction or damage, using sensible organisational measures.
Any data processing you carry out while running your business must be done lawfully and in a fair, transparent way. The rules apply to those who control and process the data, whether this is you as a business owner, or, perhaps your book-keeper or HR administrator, who might keep employment records. You must be able to show that personal data – including names, addresses, birth dates, email and IP addresses, as well as financial data - is:
- Collected for specific, explicit, legitimate purposes
- Accurate, up to date, relevant and limited to the purposes it is being collected for
- Kept securely, for no longer than necessary
- Accessible - an inspector may wish to see it, or an individual may ask, under GDPR, for their personal data to be erased, so you must be able to access it readily
At this stage it is wise to carry out an audit of the kind of data you collect, how and when you harvest it, where you store it, who can access it, how long you keep it for and who you share it with.
You should start to consider the ‘accountability’ principle GDPR introduces and ensure that you have a privacy notice prepared to distribute to those whose data you collect.
This will help you judge whether you meet the requirements, whether you’ve put procedures in place to deal with any breach of GDPR, and how you can embed its principles into everything you do within your business.
Rory is singled out for praise in the Legal 500 for his expertise in Agriculture & Estates and Planning & Environment, and is a fellow of the Agricultural Law Association, a member of the United Kingdom Environmental Lawyers Association and also the Property Litigation Association.
JCP’s Rural Practice team is on hand for tailored and professional legal support. For further information, please call Rory Hutchings on: 01792 525 402 or alternatively via email at: Rory.firstname.lastname@example.org
For further advice, please contact our specialist Rural Practice solicitors in:
- Swansea: 01792 773773
- Cardiff: 02920 22 5472
- Carmarthen: 01267 234022
- Caerphilly: 02920 860628
- Cowbridge: 01446 771742
- Haverfordwest: 01437 764723
- Fishguard: 01348 873671
- Pontypridd: 01443 408455
The question posed is based upon a hypothetical situation.