The clock is counting down towards the biggest overhaul of EU data protection legislation for decades. The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 shredding the current legislation and carrying substantial penalties for non-compliance. Is your business ready?
What is the GDPR?
When enacted, the GDPR will replace all data protection legislation in EU member states including the UK’s Data Protection Act 1998 (DPA). The GDPR is over 200 pages long and contains substantial and ambitious changes to the law. It significantly strengthens and upgrades the current regulations, aiming to provide a “gold standard” of data protection across the EU. The GDPR is an EU regulation, not a directive, and is therefore directly applicable in all EU member states. It is a one stop shop for data protection which makes it easier for authorities to take action against bodies that do not comply.
Who has to comply?
All organisations operating within the EU must comply. Additionally, any organisation based outside the EU which has consumers in the EU or monitors the data of EU citizens is caught by the new regulations. Companies are now directly responsible for data protection compliance wherever they are based if they process EU citizens’ personal data.
The key terms
The GDPR will alter your customers’ expectations as to how you handle their personal information. Article 5 sets out 6 principles stating that data must be:
- Processed fairly, lawfully and transparently;
- Collected for specified legitimate purposes only;
- Adequate, relevant and limited to what is necessary in relation to its purpose;
- Accurate and kept up to date;
- Stored for no longer than is necessary; and
- Processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage.
A compliance guide – how to prepare for the GDPR
Businesses should start to prepare now for the significant changes contained in the GDPR. Compliance with the DPA does not mean that your business will automatically be compliant with the GDPR. This compliance guide sets out some key changes under the GDPR and what actions your business needs to consider. It is by no means an exhaustive list but a good starting point
Give individuals more information at the time their data is collected. Fair processing of information is paramount.
Obtaining consent will become harder and can be withdrawn at any time. You will need a clear agreement and documented evidence for proof of consent.
Action – review and revise your procedures for obtaining and monitoring consent and ensure compliance with the GDPR.
Compliance and accountability
New requirements will be introduced for controllers to be able to demonstrate compliance, by documenting all data processing activities. Data protection impact assessments may be required.
Action – conduct a risk assessment. Review and revise, if necessary, your current decision making and processing activity records to ensure you can demonstrate compliance. Think about introducing data protection impact assessments for new projects that are high risk.
Enhanced rights for individuals
In addition to existing access rights, individuals will gain the right to receive their data in a machine-readable format (data portability) and the right to have their data erased (the right to be forgotten). You can no longer keep individuals data for longer than agreed to in the consent.
Action – review and revise access request procedures
The GDPR increases the amount of mandatory information you need to include in privacy notices, which must be concise and intelligible.
Action – update your existing privacy notices in line with the regulations including additional information and ensuring plain language is used.
Mandatory breach notification
Controllers have 72 hours to report a breach to the Information Commissioner’s Office and notify the individual without undue delay if a breach is likely to put them at high risk.
Action – review procedures to ensure you meet the notification requirements.
Appointing a Data Protection Officer
Public bodies and companies processing large volumes of data will be required to appoint a Data Protection Officer. Other companies should still appoint a responsible officer.
Action – decide if you need to appoint a Data Protection Officer or another officer responsible for data protection.
The GDPR will introduce specific protection rules for children with an age of consent for the processing of children’s personal data. The GDPR guidelines states a child under the age of 16 can not give consent, consent would be required by a person holding parental responsibility, however, this rule can vary between member states as they have the option to lower the age of consent to 13. Privacy notices must be written in language appropriate for children. Parental or guardian consent will be required to process children’s data. The consent must be verifiable.
Action – if you collect children’s data then you will need to establish procedures compliant with the regulation requirements.
Enhanced security measures such as encryption are introduced to ensure data is kept securely.
Action – review and update security measures and consider setting up a central breach management unit.
You will need to include new obligations in your contracts with data processors. This will be a major change for suppliers previously not subject to data protection law.
Action – if you are a controller, update your contracts with processors. If you are a processor, consider the GDPR implications.
If your business operates internationally, additional compliance rules will apply.
Action – determine which data protection supervisory authority you come under. Audit international transfers to ensure compliance with additional regulations.
Dos & Don’ts
There is an expectation in the GDPR that data protection compliance will be at the forefront of any new project. Risk assessments should be carried out and risks identified and managed from the earliest stages of new projects, whether relating to new products or the provision of services. Some basic compliance ground rules to consider are:
Do limit the type and volume of data collected to the specified purpose.
Don’t collect sensitive data unless absolutely essential.
Do raise awareness of the GDPR throughout your business.
Don’t rely on your existing procedures and policies as they will almost certainly require amendment no matter how robust.
Do store data securely.
Don’t keep data indefinitely or store unnecessary data.
Do enhance control procedures relating to data sharing both within your business and from your business.
Don’t send data outside the organisation unless additional protections are in place.
Do establish strict policies throughout your business up to management board level.
Don’t ignore the importance of compliance.
Consequences of breach
The GDPR includes a large step change in sanctions for non-compliance with data protection legislation. Businesses can face fines of up to 4% of annual worldwide turnover or €20 million if found to be breaching the provisions.
Do not play the Brexit get out of jail free card
UK businesses should continue to prepare for the GDPR irrespective of Brexit. The government has indicated that the provisions of the GDPR will be carried forward into UK law irrespective of Brexit. If your business deals with EU citizens or any part of your business is established in the EU, you are caught by the regulations in any event.
No matter what stage you are at, we can advise and assist you in ensuring your business is ready for the GDPR. Every organisation will be impacted by the new legislation in different ways. Our data protection expertise can help establish what your business’s new obligations will be, what the gaps are in your current compliance and establish a timetable for the changes needed to ensure your business is compliant before the countdown clock runs out.
Saracens Solicitors is a multi-service law firm based in London’s West End. We have dedicated and highly experienced IT law solicitors who can advise on all legal matters relating to the GDPR. For more information, please call our office on 020 3588 3500.