General Data Protection Regulation
The EU General Data Protection Regulation (GDPR) creates a wider definition of personal data than the Data Protection Act and became enforceable on 25th May 2018. It covers all organisations in the public, private and non-profit sector and applies throughout the EU and beyond, even if the business itself is not based in the EU.
Does the GDPR apply to my business?
If your business processes personal data (i.e. any data relating to a data subject and from which he/she can be identified) within the EU, your business should take steps to comply with the GDPR. Processing data could be by collecting personal data via an enquiry form on your website, using email marketing to target new customers or communicate with existing clients or outsourcing your payroll or pension provision. In practice, most businesses will, in some way or other be processing personal data. Your business needs to have evidence in place that it is complying with the GDPR. That can only be done by having the necessary policies, procedures and training in place to ensure that you are taking steps to comply with the principles of the GDPR as set out below.
Principles of the GDPRUnder the GDPR, personal data must be:
- processed fairly, lawfully and in a transparent manner;
- collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- accurate and where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
- in accordance with data subjects’ rights;
- processed in a way that ensures appropriate security of the personal data; and
- not transferred to a third country or to an international organisation if the provisions of the GDPR are not complied with.
It is also worth noting some of the wider ranging changes compared to the current Data Protection Act:
- You will no longer be able to make a charge for complying with a subject access request by an individual and the timeframe to respond will be reduced to one month from 40 days.
- The basis on which you have the right to process personal data is important- if you rely on the data subject’s consent as your legal basis to process their data, then from next year, the data subject will have a stronger right to require that their personal data is deleted.
- Children’s personal data will have special protection and it is likely that you will need a parent or guardian’s consent in order to process the child’s data lawfully.
- The level of fines for breach will increase- up to £20 million Euros or in the case of an undertaking up to 4% of the total worldwide annual turnover of the preceding year, whichever is the higher.
What should businesses be doing?
If you already comply with the Data Protection Act then you have a starting point for compliance with the GDPR and you may be familiar with some of the language used. In terms of the practical points of what you should be doing, we suggest the following:
- Make sure you understand the additional obligations under the GDPR: look at the Information Commissioner Office’s website: www.ico.org.uk so that you understand what changes may need to be made.
- Audit: you need to undertake an audit of your processes and documentation to know what needs to be changed.
- Seek appropriate advice. You may need assistance to rewrite policies and privacy notices, or to make sure your commercial agreements protect you and adhere to the obligations your business is under as a data controller or a data processor. You may also need to consider whether your insurance cover is adequate.
- Overlap with Cyber Crime prevention: you will need to consider that the IT security systems you have in place are sufficient to ensure that you are able to keep personal data secure.
Our corporate commercial team can help provide practical advice and support to ensure your business is fully GDPR compliant.