We first mentioned the General Data Protection Regulation (GDPR) to our clients back 2016 and now it's just over six months away. The GDPR will replace the Data Protection Act 1998 (DPA) as the prevailing legislation in the UK for data protection, and will apply to all organisations that process, handle and store any personal data of EU residents.
With GDPR coming into force on 25 May 2018 the enormity of its impact is starting to be recognised by UK businesses.
The purpose of the GDPR is to impose certain conditions on organisations to ensure that their customers and employees know what is happening to their personal data and can be assured that their personal data is kept secure and is not used in a way that is excessive or unfair. ‘Personal data’ includes any information by which a natural person (a ‘data subject’) can be identified e.g. name or postal/email address. The GDPR’s definition of personal data is more detailed than the definition under the DPA, and provides that even an online identifier, such as an IP address, could be deemed personal.
Whilst the essence of the GDPR has the data subject’s best interests at heart, the new set of obligations it enforces on all businesses, no matter how large or small, is huge:
- Businesses that require the consent of a data subject to process data lawfully will require such consent to be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action i.e. consent requests must be separate from other T&Cs and pre-ticked opt-in boxes are invalid. For sensitive data, consent must now be explicit.
- It will be the businesses’ responsibility to assess the degree of risk that processing poses to data subjects.
- In relation to a privacy breach, a data controller will be required to notify the Data Protection Authority within 24 hours.
- Businesses must record all processing activities in detail. The appointment of a data protection officer will be a mandatory requirement for larger companies.
Non-compliance is not an option.
The GDPR will also introduce dramatically increased maximum penalties for mishandling data. Under the DPA, the maximum fine Information Commissioner’s Office can levy against a data controller is £500,000. Under the GDPR, this is increased to €20million (or 4% of global revenue, whichever is greater).
Organisations must plan now to avoid fines. Some changes will be simple and procedural but others may require alterations to infrastructure and processes, which can be both timely and costly.
In the interim here are some basic steps businesses can use in preparation:
- Undertake an internal audit of the personal data your organisation holds so you can identify where changes need to be made in order to be compliant and the size of the impact of the GDPR on your business.
- Review how you seek, record and manage consent for data collection.
- Update privacy notices.
- Identify any third-party-data handlers and check their GDPR compliance
- Review and, if necessary, negotiate all commercial contracts.
- Update staff guidance and train them on the new rules.
- Review IT and security measures to minimise the chances of data breaches.
- Consider if your need to employ/assign someone to the role of Data Protection Officer or if this position can be outsourced.
If you would like more information on GDPR or any other company or commercial issues please contact Joel Molloy on E: email@example.com t: 0118 912 0229