Does your organisation or business collect, record, and store personal data and undertake processing activities with this data? If the answer is 'Yes', then you need to be aware of the new General Data Protection Regulation (GDPR). GDPR is already in force in the UK but will not be enforced until 25th May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The GDPR applies to data ‘controllers’ and data ‘processors’. The definitions are broadly the same as under the Data Protection Act (DPA) – ie the controller determines how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.
Failure to consider the implications of GDPR on your business can result in more than a slap-on-the-wrist but instead will likely result in heavy financial penalties and media scrutiny. Under GDPR organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater) A data breach can also lead to a criminal conviction, damages claims against you and your business, job losses, loss of existing and future clients, damage to the reputation of your business and at worst, complete business failure.
The first thing to note is that a lot of the processes and principles which have been introduced under GDPR are much the same as those under the current DPA, which the GDPR is replacing. Therefore if your business is compliant now, you are on your way to compliance under the GDPR. However, there are some new elements and significant enhancements, which means you will need to take early steps to review your current policies and procedures. The ICO (Information Commissioners Office) is the organisation that oversees privacy regulation and the DPA in the UK. It has published 12 key steps you can take now to get ready for the incoming regulations:
1. Awareness – at board level and throughout the organisation everyone needs to be made aware of the changes and impact of GDPR. There must be a concerted effort across the whole organisation.
2. Information you hold – what information do you hold and how did you collect it? If you have not already undertaken an information audit you need to start the process now.
4. Individuals Rights - You should check your procedures to ensure they cover all the rights individuals have, including how you will delete personal data or provide data electronically and in a commonly used format.
5. Subject Access Requests - You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6. Lawful basis for processing personal data - You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
7. Consent – Conditions for consent have been strengthened and you should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
8. Children - You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
9. Data breaches - You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Breaches must be notified within 72 hours of first becoming aware.
10. Data Protection by Design and Data Protection Impact Assessments - At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
11. Data Protection Officers - You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
12. International - Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
Having a clear, documented strategy on how your organisation’s data activities meet the GDPR and existing privacy law, will become essential. If you care about your business you will care about what GDPR means and how to ensure your business is fully compliant when 25th May 2018 comes round.
For advice on how to ensure your business complies with the new GDPR, please contact Philip McBride at John McKee on 028 90232303 or at firstname.lastname@example.org