The GDPR will replace the Data Protection Act. From 25 May 2018, the GDPR will have a significant effect on your responsibilities when storing data and the uses you can put data to. If your business holds any personal information relating to individuals then you will need to ensure that you have procedures in place to ensure that such information cannot be misused, is accurate and cannot be obtained by unauthorised access.
Why should I be worried about GDPR?
If you keep HR records, customer lists, contact details or other personal information including sensitive data then you will be caught by the new Regulation. You will have seen high profile data breaches reported in the media yet many businesses have still not taken any steps to make sure that they will be ready for GDPR and its implementation.
What is the current legislation and why are we changing?
The UK implemented the Data Protection Directive through the Data Protection Act 1998 (DPA) which still remains in force until 25 May 2018. The DPA does not match what we do in practice. That legislation was drafted when storage mainly consisted of large filing cabinets and before computers took over our daily working lives. The GDPR is more geared towards electronic storage and processing and will, therefore, be far more rigorous and increases obligations on both Data Controllers and Data Processors.
The purpose of the new Regulation is to ensure that all businesses take steps to review and update their processes and procedures to ensure that data storage and the management and processing of that data is secure. Data can only be processed for a particular purpose before being deleted so as to protect that information.
Penalties / fines
Failure to comply with the GDPR will mean potential fines up to €20,000,000 or 4% of annual turnover (whichever is greater). For other lesser breaches, the financial penalty is up to €10,000,000 or 2% of annual turnover (whichever is greater).
The current definitions under the DPA are expected to be broadly the same for the GDPR with some additions. In short, a Data Controller says how and why personal data is processed. In addition, under the GDPR, the Data Controller must have in place contracts with processors which comply with the GDPR.
What is meant by data?
Although the definition has been broadened, essentially this means any information which can be used to identify an individual. For example, an IP address will now be considered to be data. It is also important to remember that the Regulation will also cover manual as well as automated systems.
The conditions for consent have been strengthened as companies will no longer be able to rely on long illegible terms and conditions full of legalese as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous. Clear and plain language should be used and it must be as easy to withdraw consent as it is to give it.
Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt-in” will suffice. However, for non-sensitive data, “unambiguous” consent should suffice.
Data principles: fair processing and individual rights
The eight data protection principles which we are familiar with under the DPA are similar but with added detail in places and a new accountability requirement. This means the GDPR requires Data Controllers and Data Processors to show how they comply with the principles; such as, for example, documenting decisions taken about a processing activity.
There has to be “conditions for processing” which means that there must be a legal basis before personal data can be processed. Under the GDPR it becomes more of an issue because the legal basis for processing has an effect on an individual’s rights.
These will be increased to cover the following: –
- The right to be informed
- The right of access
- The right of rectification
- The right of erasure (i.e. the right to be forgotten)
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Businesses and organisations will no longer be able to charge for providing the data unless the request is unreasonable or involves a large amount of data. Furthermore, the timescale for providing the information has also been dramatically reduced. In short, it must be provided at the time the data is obtained or within one month if the data is not obtained from the data subjects.
Are you ready for it and what does this mean for your business?
Businesses and organisations will need to review their data protection policies (which apply not only in respect of employees but for customers as well) and ensure compliance with the GDPR.
The present proposals will involve costly infringement action and the general consensus is that the Regulation will still continue to apply post Brexit.
There will now be a duty to report data breaches to the Information Commissioner’s Office (ICO), where it is likely to result in a risk to the rights and freedoms of individuals and, in some circumstances, to the individual concerned.
Breach notification must be done within 72 hours of first having become aware of the breach.
What do I need to do to prepare for GDPR?
- Conduct an audit – all businesses and organisations will need to conduct an audit to establish exactly what data it collects and then to decide whether that information is caught by the personal data requirements of the GDPR.
- Establish the legal basis upon which you actually hold the data – for data processing to be lawful under the GDPR, you need to identify the basis upon which you are holding the information. The lawfulness of processing conditions include:-
6(1)(a) – Consent of the data subject.
6(1)(b) – Processing is necessary for the performance of the contract with the data subject or to take steps to enter into a contract.
6(1)(c) – Processing is necessary for compliance with the legal obligation.
6(1)(d) – Processing is necessary to protect the vital interests of the data subject or another person.
6(1)(e) – Processing is necessary for the performance of the task carried out in the public interest or in the exercise of official authority vested in the controller.
6(1)(f) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
- Review your policies and consent procedures.
- Devise a data breach plan.
- Appoint a Data Protection Officer.
- Train staff – you will need to make sure that all of your staff understand what constitutes a data breach and that this is more than simply a loss of personal data. Staff will need to be aware of the identity of the Data Protection Officer and be clear on internal breach reporting procedures.
As the GDPR represents a significant change in data protection law, you will need to set aside time to undertake a thorough audit and to put in place suitable compliance measures so that you are ready for the implementation of the new law on 25 May 2018.