The General Data Protection Regulation: What do you need to do to prepare?
The EU General Data Protection Regulation (GDPR) is set to become enforceable from the 25 of May 2018. The GDPR creates a wider definition of personal data than the Data Protection Act. It covers all organisations in the public, private and non-profit sector and applies throughout the EU and beyond, even if the business itself is not based in the EU.
Does the GDPR apply to my business?
If your business processes personal data (i.e. any data relating to a data subject and from which he/she can be identified) within the EU, your business should take steps to comply with the GDPR. Processing data could be by collecting personal data via an enquiry form on your website, using email marketing to target new customers or communicate with existing clients or outsourcing your payroll or pension provision. In practice, most businesses will, in some way or other be processing personal data. Your business needs to have evidence in place that it is complying with the GDPR. That can only be done by having the necessary policies, procedures and training in place to ensure that you are taking steps to comply with the principles of the GDPR as set out below.
Principles of the GDPR
Under the GDPR, personal data must be:
- processed fairly, lawfully and in a transparent manner;
- collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes ;
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- accurate and where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
- in accordance with data subjects’ rights;
- processed in a way that ensures appropriate security of the personal data; and
- not transferred to a third country or to an international organisation if the provisions of the GDPR are not complied with.
It is also worth noting some of the wider ranging changes compared to the current Data Protection Act:
- You will no longer be able to make a charge for complying with a subject access request by an individual and the timeframe to respond will be reduced to one month from 40 days.
- The basis on which you have the right to process personal data is important- if you rely on the data subject’s consent as your legal basis to process their data, then from next year, the data subject will have a stronger right to require that their personal data is deleted.
- Children’s personal data will have special protection and it is likely that you will need a parent or guardian’s consent in order to process the child’s data lawfully.
- The level of fines for breach will increase- up to £20 million Euros or in the case of an undertaking up to 4% of the total worldwide annual turnover of the preceding year, whichever is the higher.
What should businesses be doing now?
If you already comply with the Data Protection Act then you have a starting point for compliance with the GDPR and you may be familiar with some of the language used. In terms of the practical points of what you should be doing, we suggest the following:
- Make sure you understand the additional obligations under the GDPR: look at the Information Commissioner Office’s website: www.ico.org.uk , attend seminars or training courses so that you understand what changes may need to be made.
- Audit: you need to undertake an audit of your processes and documentation to know what needs to be changed.
- Seek appropriate advice. You may need assistance to rewrite policies and privacy notices, or to make sure your commercial agreements protect you and adhere to the obligations your business is under as a data controller or a data processor. You may also need to consider whether your insurance cover is adequate.
- Overlap with Cyber Crime prevention: you will need to consider that the IT security systems you have in place are sufficient to ensure that you are able to keep personal data secure.
If you would like further advice about the issues raised in this article or any aspect of data protection law, please contact Sarah Liddiard on [email protected].
If you would like to learn more, Machins Solicitors will be hosting a breakfast seminar, ‘GDPR & Cybercrime - Are you prepared?’ on Wednesday 2nd May at Putteridge Bury Conference Centre, Hitchin Rd, Luton LU2 8LE. Richard McBarnet, Managing Director at Lumina Technology and Sean O’Neill, Cyber Security Advisor for Bedfordshire Police will be speaking. Please contact [email protected] for further information.