Are you ready for the General Data Protection Regulation?
Most business owners understand the general rules, principles and compliance requirements of The Data Protection Act, which has been embedded in UK business law for years. However, with the new General Data Protection Regulation (“GDPR”) coming into force on 25 May 2018, now, is a very good time to schedule a review of your business practices.
Many of the principles remain the same as those listed in the current Data Protection Act 1998, therefore if you are complying with the current law, you have a strong starting point to build from. However, with some new rules, increased powers and heavy penalties in May, it’s important for businesses to be aware and begin the process of reviewing your existing practices.
Amy Tindall, Senior Lawyer at Genus Law has provided a summary below to help understand the key areas of change to the law and how to avoid exposing your business to risks:
Transparency in Data Processing
Data must now be processed transparently, as well as fairly and lawfully.
What this means for your business: Businesses must ensure that individuals can understand clearly how and why their data is being processed. Also, this removes the scope for businesses to hide behind technical jargon. Therefore, privacy policies will need to be clear, understandable and easily accessible.
Consent
There are more detailed conditions for using consent, namely, consent must be “freely given, specific, informed and unambiguous”.
What this means for your business: Consent will be even more difficult to obtain and rely upon as a valid basis for transferring data. A clear, affirmative action, such as the use of an ‘opt-in tick box’ will be required to satisfy the consent requirements.
Data Subjects’ Rights
Individuals’ rights have been extended to explicitly include the right to be forgotten, the right to switch service providers (known as data portability) and the right to know if their data has been hacked.
What this means for your business: These extended rights will significantly impact businesses, particularly those that rely on the gathering, analysis and transfer to third parties of personal data.
Subject Access Requests
In most cases, data subjects will no longer have to pay a fee to access their data. Also, businesses will only have a month to comply with such requests. However, a business may refuse to act on the request if they believe it is “manifestly unfounded or excessive”. Additional information will also need to be provided to the person making the request, for example, data retention periods.
What this means for your business: Businesses will now have less time to comply with such requests. Furthermore, refusing to act on any requests because it is “manifestly unfound or excessive” will require implementation of policies and procedures to demonstrate that the request meets the criteria.
Data Protection Officers (“DPO”)
All public authorities must appoint a DPO. Certain other businesses whose activities involve “regular systematic monitoring of data subjects on a large scale” or the large-scale processing of “special categories of personal data” will need to appoint a DPO to oversee compliance.
What this means for your business: It may be difficult to ascertain if businesses are required to appoint a DPO and this will increase the administrative burden on those who are required to do so.
Risk-base Approach to Compliance
Businesses will have to bear the responsibility for assessing the degree of risk that their processing activities pose to data subjects.
What this means for your business: This may involve substantial changes to existing compliance strategies and arrangements and businesses should start their preparation now. The Information Commissioner’s Office has produced a 12-step guide to compliance and the link is set out below:
https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf
Enforcement Powers
Harsher penalties for non-compliance with the law will be introduced. These are follows:
- €10 million and 2% of a business’ worldwide turnover for breaches relating to internal records, security and breach notification and data processor contracts; and
- €20 million and 4% of a business’ worldwide turnover for breaches relating to data protection principles, conditions of consent, subject rights and international data transfers.
Given the disparate fines across the EU and the concept of a “one stop shop”, how data protection authorities in each Member State enforce the GDPR remains to be determined.
Next Steps
Practical steps to help prepare include appointing a person or team (either internally or externally) that can audit current data protection policies and procedures and identify the changes needed to ensure compliance with the GDPR. The review should cover a broad range of areas including:
- The structures in place for processing employee, client and customer data;
- Any data protection policies and/or notices;
- Agreements in relation to the transfer of data, including international transfers of data;
- Default data retention periods;
- The processes for handling data breaches;
- IT changes needed to implement changes identified; and
- Whether there is a need to appoint a DPO.
Genus Law provide legal services in a fresh, transparent way, working with our clients to provide practical, commercial legal advice. If you would like to discuss this, or any other legal issues you have, please contact our head office on 0113 320 4540, or email us at [email protected]