The General Data Protection Regulation (GDPR) will come into force in the UK on 25 May 2018 after four years of negotiations and unprecedented levels of lobbying by businesses.
These new rules will cause significant disruption to how organisations store, manage and process personal data, with significant penalties for those who don’t comply.
What is the GDPR?
The new legal framework is the biggest change to data privacy legislation in over 20 years. Digital advancements over this time have meant that consumer data is created, collected and stored within seconds. It is more important now, than ever, to have clear laws and safeguards in place given the growing digital economy and associated cyber security risk.
Does Brexit impact GDPR?
The GDPR aims to protect EU citizens’ personal data, regardless of borders or where the data is processed. The new rules are much broader than the 1995 Data Protection Act with a more expansive definition of personal identifiers, such as an IP address, which is now classified as personal data. Businesses based outside the EU will still need to be compliant if they have EU customers. As such the UK’s decision to leave the EU will not affect the need to comply with GDPR.
What are the penalties?
The penalties are significant, fines for non-compliance of up to €20m or four per cent of annual global turnover could be imposed.
How does this affect my business?
Any company who processes consumers’ personal data will need to comply with the new obligations. That means firstly understanding the changes to the existing processes under the new rules:
- Consent – do you have explicit consent from individuals for the data you hold about them?
Under the new rules the requirements have been tightened significantly. Requesting consent from a consumer to process their personal data must be unambiguous.
- New responsibilities - are you a data processor or data controller responsible for processing personal data?
Under the GDPR, data processors will have greater legal liability and are required to maintain records of personal data and processing activities. There are also further obligations on controllers to ensure that any third-party contractors also comply with the GDPR eg cloud hosting or outsourcing.
- Accountability – do you have a data protection programme and are you able to provide evidence of how you will comply with the requirements of the GDPR?
Organisational and technical measures to protect personal data are now the responsibility of the data controller and data processor - data protection and privacy requirements should be built into the development of your business processes and systems.
- Mandatory breach notification – would you be able to notify a data protection supervisory authority of a data breach within 72 hours?
You will need internal processes that allow you to report and manage communications with affected consumers quickly and accurately.
- New rights – do you know how you will comply with the new rights; the right to be forgotten, the right to data portability, and the right to object to data profiling?
You will need processes in place to comply and reassure that these rights have been adhered to (including notifying third-parties).
- Data protection officers – do you conduct large scale systematic monitoring (including employee data) or process large amounts of sensitive personal data?
Where large scale processing of data is evident a dedicated Data Protection Officer needs to be appointed.
How we can help
Our specialists can help you to ensure compliance in the first instance, and provide the evidence to prove it in the second. Through robust analysis we will identify any risks and implement processes and systems to ensure compliance:
- GDPR gap analysis
- Privacy Impact Assessment
- GDPR awareness sessions
- Breach management processes
- Security monitoring and reporting
Please contact one of the team below for further information:
Sheila Pancholi, Partner
Steve Snaith, Partner
David Morris, Director