The General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and is intended to harmonise European data protection laws to meet the demands of the ‘big data’ era.
In order for businesses to be compliant with the GDPR by the time that it comes into force, technical and process changes will need to be implemented by many businesses to avoid potentially substantial penalties.
Whilst this will pose challenges, it is also a great opportunity for businesses to reformulate their approach towards data protection and implement long-term changes to apply the principles of data protection.
Who will the GDPR apply to?
The GDPR will apply to any business, whether established inside or outside the EU, which offers goods and services to EU citizens or monitors their behaviour. It will in this sense only apply to personal data, not company data. Even though the UK is planning to leave the EU, businesses within the UK will still need to comply with the new regulation.
What will stay the same?
The GDPR retains the core rules and principles of the Data Protection Directive, enshrined in UK law by the Data Protection Act 1998 (DPA), regulating the processing and protection of personal data.
The existing rights of individuals to access their own personal data; object to direct marketing; rectify inaccurate data; and challenge automated decisions made about them are all covered in the GDPR.
What is new?
Some of the new features of the GDPR include:
- Financial penalties: Fines may be levied to the higher of €20 million or 4% of annual worldwide turnover for breaches. Individuals can also claim compensation from organisations for financial loss or distress suffered.
- Accountability, Reporting Duties & Privacy Notices: Companies will need to demonstrate that they comply with the GDPR via accurate record-keeping. The extent of such records will depend upon the size of the organisation and level of risk having regard to the nature of data being processed.
- Privacy notices must be concise and intelligible whilst containing specific information about individual’s rights and the nature of processing of their data. Businesses will need to report security breaches to affected citizens without undue delay and to their regulator within 72 hours.
- New rights for individuals: New rights include the right to erasure of data, the right to data portability and the right to object to profiling activities.
- Consent: Valid consent to process sensitive personal data will be more difficult to obtain and individuals must be able to withdraw their consent at any time. Consent from a child will only be valid if authorised by a parent.
- Appointment of Data Protection Officer (DPO): Certain organisations will be obligated to appoint a DPO, however voluntary appointments of a DPO or Data Lead may also be made. The role of DPO is expected to be at an executive level and will assume responsibility for meeting the GDPR obligations.
Practical steps to take now
In order to prepare your business for the introduction of the GDPR, you may want to consider the following steps:
- Identify key personal data that needs to be protected. Understand where it resides and what value the data has.
- Evaluate who has access to this data.
- Create a security strategy and policies that enable the business to protect data, secure access to it and have the means to erase it.
- Implement solutions to secure data, prevent breaches and ensure integrity.
- Put agreements in place, including data transfer solutions.
- Ensure high default privacy settings are built into new business processes (“privacy by design”).
- Conduct impact assessments on any new technologies to be adopted.4
- Appoint a Data Protection Officer or Lead.
For those currently compliant with the DPA who have proactive data protection policies, the updates needed are very achievable. The Information Commissioner’s Office (ICO) has however recommended that you start preparing as soon as possible.
LK & Associates Limited are currently reviewing our own level of compliance with the new GDPR requirements and drawing up an action plan to ensure the new regulatory requirements are met.
Visit the Information Commissioner’s Office (ICO) website:
Disclaimer: This note does not contain a full statement of the law and it does not constitute legal advice. Please seek legal advice if you have any questions about the information set out above.