The EU General Data Protection Regulation (GDPR) will come into force on 25 May 2018 irrespective of Brexit, and UK businesses will need to be prepared.
Compliance will likely require organisation-wide changes. If you are already complying with the current Data Protection Act, then this is a strong starting point, however there are some important new principles that businesses will need to consider and adapt to in advance of next May.
Who will the Regulations apply to?
The GDPR extends data protection principles to data processors, as well as data controllers. A data controller is the person, business or organisation that determines how and why data is being processed, and the data processor is the person acting on behalf of the controller.
This will be significantly more difficult to rely on as a condition for processing under the GDPR. Data subjects will now have to make a positive indication of consent (the opportunity to “opt-out” will not suffice) and new consent will have to be obtained each time the reason for processing or type of processing changes. It must be as easy for data subjects to withdraw consent as it is for them to give it. Businesses cannot rely on consent where the relationship between the data subject and the data controller is an imbalanced one, for example an employer and employee. In cases such as this it will be necessary to find another applicable condition for processing.
The GDPR requires data controllers and processors to keep comprehensive records about the data they process and the steps they take as an organisation to comply with the GDPR. This information can be requested by the Information Commissioner’s Office (ICO) at any time. Irrespective of whether there is a data breach, you can still be in breach of the GDPR by failing to keep adequate records.
Data Protection Officers (DPOs)
Certain organisations, such as public bodies and those who process large amounts of sensitive personal data, will now be obliged to appoint a DPO. Even if you are not required to do so, and you decide you do not need one, a record must be made of the reasons for that decision.
Where a data breach occurs, a data controller is required to notify the ICO within 72 hours of discovering a breach, irrespective of the number of data subjects the breach affects. Fines for breaches will also be significantly increased up to a maximum of €20million or 4% of worldwide turnover, whichever is higher. You may need to implement a system of reporting to enable breaches to be escalated to the correct individual in your organisation who in turn is responsible for notifying such breaches.
Increased Rights for Data Subjects
Individuals will now have the right to be forgotten and request that all their personal data held by an organisation is erased. In addition, individuals can request a copy of the personal data an organisation holds about them in a commonly used, machine readable format or have it ported directly to another data controller. This is known as a “Subject Access Request” and there is likely to be an increase in such requests, given that organisations will no longer be able to charge for providing the data.
The first step for your organisation will be to conduct a data audit to ascertain exactly what personal data you hold and how you manage it. You will then be able to identify areas where changes are required to comply with the GDPR.
We are delivering bespoke, in-house training sessions for businesses of all sizes and types on the incoming GDPR, as well as providing ongoing support in all data protection matters.
For further information, or to arrange an in-house training session ahead of the GDPR changes in May 2018, please contact Ben Jackson, solicitor in our corporate and commercial team:
Call: 0191 232 8345