What is it?
The GDPR was drafted in order to streamline and simplify the data protection laws of each member country. The EU wanted:
- To give people more control over how their personal data was used; and
- To make data protecting law identical through the single market.
Will it still apply to the UK post Brexit?
Article 3 defines the territorial scope and it applies to everyone who offers goods or services to data subject in the EU ‘regardless of whether the processing takes place in the Union or not’. So, a company outside the EU which is targeting consumers in the EU will be subject to the GDPR. This, along with the fact that the UK will always need to demonstrate its commitment to data protection to the EU and other countries, means that the UK’s departure from the EU is unlikely to have any effect on the implementation of the GDPR.
So, in all likelihood, GDPR will apply in the UK from 25th May 2018. Because it is a regulation it will apply automatically, so the UK does not need to draw up new legislation. With less than a year to go until the law changes, Information Commissioner Elizabeth Denham said that this is ‘the biggest change to data protection law for a generation’ and urged businesses to act now.
Will it apply to you?
If you collect, store or use personal data from European (including UK!) citizens, then the GDPR will apply to you.
What does the GDPR do?
In a nutshell:
- It gives EU citizens more control over their personal data, making it easier to access it, delete it and transfer it.
- Companies must obtain specific consent to use of consumer’s data, and companies must provide full details of how the personal data will be handled including how long it will be held for.
- Consumers have a right to have their personal data kept safe. There is also a right to complain if data is mishandled or misused and consumers also have a right to know if their data has been hacked.
- Consumers have a right to ‘be forgotten’ and the right to object to their data being used.
- The GDPR places great emphasis on accountability and businesses will have to demonstrate compliance with the principles. This will involve maintaining written records of all data handling activities and implementing and maintaining a proactive approach to data protection.
- Data protection officers (DPO) will need to be appointed for companies where the core activities of the business requires regular monitoring of personal data on a large scale.
- The GDPR has expanded territorial reach and companies outside the EU which are targeting consumers in the EU will be subject to the GDPR.
- If you have suffered a data protection breach, unless the data is encrypted (and therefore unreadable or inaccessible), you will have 72 hours to report it to the ICO.
Why is it important?
Those companies failing to comply with the GDPR could face fines of up to 20 million Euros or 4% of annual turnover, whichever is higher, along with of course other issues such as damage to reputation.
12 steps you need to take now….
- Document personal data that you hold – If you are not sure what personal data you hold, you should establish this by conducting an audit. Once you know what personal data you hold, you will need to document it as the GDPR places an obligation to maintain records of processing activities.
- Make a hit list – identify the potentially damaging processes and make a list of them. Consider how the data is processed so that you can look at how best to manage the risk.
- Establish who is taking responsibility for data protection – If the core activity of your business involves processing data, then you will have to formally designate a Data Protection Officer (DPO). If this does not apply to you, then you should still consider designating a person or a team (depending on the size of your business) to ensure continuous compliance with the GDPR. Ensure the person or team understand their duties and responsibilities.
- Prepare notices to data subjects – the GDPR has a list of mandatory notices to data subjects about processing activities.
- Review how you obtain consent – this will involve a review of how you seek, record and managed consent. You may need to change your current procedures as conditions are harder to meet under the GDPR.
- Review privacy preferences – Review how consumers can manage their privacy preference and whether you need to make any changes to meet your obligations under GDPR.
- Consider what technical measures you have in place – you will need to have measures to ensure that personal data processed is securely and adequately protected. Your cyber-security policy and measures will be relevant here.
- Put systems in place for children’s data – the GDPR brings in special protection for children’s personal data. For anyone under the age of 16 (may be lowered to 13 by individual member states) you will need a parent or guardian’s consent in order to process their personal data lawfully. You will also need systems in place to verify individuals ages – i.e. will you know that you are dealing with a child’s data?
- Data Protection Impact Assessment – the rules make it mandatory for impact assessments to be carried out when you are thinking about engaging in certain personal data processing.
- Training and awareness – everyone in your company needs to know that the law is changing, and what it means for them. The longer you leave it, the more difficult complying will be. Look out for our webinar on the subject.
- Subject Access requests – plan how you are going to handle them and make sure that employees know what they are and that they should be immediately referred to the DPO or other senior person. The time frame has been reduced from the current 40 days to one month. You will not be able to claim a £10 fee, so could potentially be bombarded with requests, and you will need to provide copies (a summary of the data held will no longer be an option) of the documents within one month. You can however refuse to comply if the request is manifestly unfounded, and excessive requests can be charged or refused – but you will need a policy in place for this.
- Develop a data breach plan – if the worse happens, you need to have a plan in place to deal with it. You will need to create a formal procedure to ensure that breaches are addressed in a timely manner.