What you need to know
Described by the EU as the most important change in data privacy regulation in 20 years, the General Data Protection Regulation (GDPR) comes into force in the UK on 25 May 2018. This will have a major impact on anyone doing business in the UK, as anyone who offers goods or services to individuals in the EU and who processes data to do so will have to comply.
GDPR captures many more organisations doing business in the UK than those caught under the current Data Protection Act 1998, including data processors and overseas organisations. The new legislation will apply to your organisation if you trade in the UK so it is important to start planning now to ensure your organisation is compliant by May.
What are the key changes?
- Wider scope – GDPR applies to all organisations whether or not established in the EU if theirprocessing activities relate to offering goods or services or to monitoring the behaviour of EUindividuals. Data processors are now also subject to certain requirements under GDPR.
- Tougher sanctions – GDPR has some of the highest sanctions for non-compliance with thepossibility of administrative fines of up to 4% of annual worldwide turner or €20 million(whichever is higher).
- More individual rights –The rights of individuals are enhanced under GDPR and it introduces a new right to data portability. This gives any individual the right to receive or transfer all personal data concerning them in a structured and commonly used format, for example, to compare banks.
- Accountability and governance – One of the biggest changes under GDPR, data governanceis not just a case of doing the right thing, you now have to be able to prove that you have done the right thing to regulators and data subjects. This involves the creation of an appropriate accountability framework for your organisation and the retention of records to demonstrate compliance.
- Data privacy by design and by default – While it has always been good practice to adopt a privacy by design approach, you are now required to implement appropriate technical and organisational measures to ensure that data protection principles are met. Data protection by design means taking data protection into account right through the process of designing a new product or service, for example, pseudonymisation or other privacy-enhancing techniques, and data protection by default means ensuring, by default, that you only process data that is necessary and keep it to a minimum.
- Data Protection Officer – Your organisation may be required to appoint a Data ProtectionOfficer (DPO).
- Data breach notifications – GDPR includes a new European-wide requirement to notify databreaches to supervisory authorities and affected individuals.
What should you do now?
- Obtain buy-in across your organisation – It is important that compliance is taken seriously from the top and flows through your organisation. It may be appropriate that the CEO/owner of your company issues a statement explaining what the company is doing to prepare for GDPR, the input that will be required from employees and training that will be provided.
- Follow the Information Commissioner’s Office (ICO) – Engage positively with any guidance issued by the ICO. We recommend the following guidance documents as a starting point:
- Create an accountability framework – Consider what is appropriate for your business; this may include carrying out a data audit, reviewing policies and practices, legal agreements and carrying out data protection impact assessments. You should keep clear records of all decisions you make, steps you take and monitoring and reviews going forward.
- Are you legally required to appoint a Data Protection Officer? If required, appoint one now (internal or external) and if not required, consider whether you need one. Ensure that your officer is in place as soon as possible so that they are fully engaged and prepared for May 2018.
- Policies and processes – Because of the need to be able to prove that you have adhered to the data protection principles, it is vital to have strong policies and processes in place, provide training on them, keep them updated, and ensure they are followed. These may include, for example, a data protection policy, information security policy, policy on when you need to complete a data protection impact assessment and a breach response procedure.
- Legal agreements – You will need to review your legal agreements carefully to ensure they are updated to cover GDPR and to protect your organisation. This will include updating obligations to reflect the changes under GDPR in agreements with any third parties who process personal information on your behalf.
How we can help
We can help with all aspects of data protection support to help you implement practical solutions that are suited to your business.
Here are some examples of how we can help:
- Creation of a bespoke GDPR roadmap appropriate for your organisation;
- Review and updating of legal agreements, including standard terms and conditions, to ensure compliance with GDPR and appropriate protection for your business;
- Review and/or creation of privacy and data protection policies (internal and external);
- Assistance with creating a suitable accountability and governance framework for your business;
- Advice on dealing with individual requests; and