With the New Year here, the implementation of the General Data Protection Regulation ‘GDPR’ (which replaces the current Data Protection Act 1998 ‘DPA’) is quickly closing in.
The GDPR will come into force on 25 May 2018 and your organisation will need to prepare well in advance of the imminent changes.
The GDPR will be the primary law regulating how your organisation protects personal data. All companies and organisations that deal with personal data relating to EU citizens must comply with the new GDPR.
It is important that your organisation has an understanding of the differences between the current regime under the DPA and the new GDPR.
10 important changes under the GDPR
Increased enforcement powers– the maximum fine in the UK is currently £500,000. The GDPR will significantly increase the maximum fines. Fines will now be up to 2% or 4% of annual worldwide turnover or 10 or 20 million euros- whichever is higher!
Data processors– currently data protection laws do not apply to data processors, but the GDPR introduces direct rules covering them, meaning they have joint liability with data controllers!
Privacy impact assessments– organisations will be required to carry out data protection impact assessments when implementing any processes that use new technology that is likely to result in a high risk to data subjects.
Privacy by design– organisations must take data protection requirements into account from the inception of any new technology, product or service that involves the processing of personal data.
Data protection officers– it will become mandatory for certain organisations to appoint a data protection office if certain requirements are met.
Subject access requests– the GDPR makes several changes to the current subject access regime namely that the £10 fee no longer applies and there are stricter time limits to respond to a request (1 month).
Consent– the GDPR places higher obligations in relation to consent. Consent must be freely given, specific, informed and unambiguous. There now must be some form of clear affirmative action.
Privacy notice– under the GDPR, privacy notices must include the legal basis (i.e. reason) for processing data and data retention periods.
Notification– the notification process is being removed. Instead there will be an obligation on the data controller and the data processor to maintain certain detailed communication.
Data breaches– the GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority and in some cases to the individuals affected.
What are the practical implications?
The GDPR is a uniform set of rules which are entirely manageable if taken seriously and complied with. Methods of compliance will differ depending on the size, nature and resources of your organisation. The best approach is to act now in readiness for the impending changes, it is important for your organisation to think strategically and to prepare for the scale of the challenge ahead.
What can your organisation do now?
- Start auditing all of its different uses of personal data;
- Understand the grounds on which you collect personal data;
- Consider the level of data protection understanding throughout your organisation;
- Asses the current mechanisms you have in place to gain consent.
If you are concerned about what impact the GDPR may have on your organisation, or are worried that your current approach to data protection measures may leave you exposed, speak to a member of our specialist GDPR team, Martin McKinnell, Jessica Maine or Laura Kirkpatrick.