Date of publication: December 2017
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and is intended to harmonise European data protection laws to meet the demands of the ‘big data’ era.
In order for businesses to be compliant with the GDPR by the time that it comes into force, significant technical changes will need to be implemented by many businesses to avoid potentially substantial penalties.
Whilst this will pose challenges, it is also a great opportunity for businesses to reformulate their attitude to data protection and implement long-term cultural changes to apply the principles of data protection by design and default.
Data is no longer wholly stored in structured database as had been envisaged under current European privacy laws, but instead consists of unstructured electronic information across various media (emails, messages, photos, tweets, etc.) necessitating the introduction of a new legislative framework.
There has also been an explosion in the volume of data being created, with more data having been created over the past two years than in the entire history of the human race.
Data no longer respects national boundaries. Information now flows around the world seamlessly, instantaneously, and is often stored simultaneously across multiple locations.
The GDPR will apply to any business, whether established inside or outside the EU, which offers goods and services to EU citizens or monitors their behaviour. Please note that the GDPR will not be materially affected in the event of Brexit.
The GDPR retains the core rules and principles of the Data Protection Directive, enshrined in UK law by the Data Protection Act 1998 (DPA), regulating the processing of personal data. (For more information about the DPA please see our Quick Guide on this subject, a copy of which can be found here).
The existing rights of individuals to access their own personal data; object to direct marketing; rectify inaccurate data; and challenge automated decisions made about them are all enshrined in the GDPR.
Financial penalties: Fines may be levied to the higher of €20 million or 4% of annual worldwide turnover for data breaches. Individuals can also claim compensation from organisations for financial loss or distress suffered.
Accountability, Reporting Duties & Privacy Notices: Companies will need to demonstrate that they comply with the GDPR via accurate record-keeping. The extent of such records will depend upon the size of the organisation and level of risk having regard to the nature of data being processed.
Privacy notices must be concise and intelligible whilst containing specific information about individual’s rights and the nature of processing of their data. Businesses will need to report security breaches to affected citizens without undue delay and to their regulator within 72 hours.
New rights for individuals: New rights include the right to erasure of data, the right to data portability and the right to object to profiling activities.
Consent: Valid consent to process sensitive personal data will be more difficult to obtain and individuals must be able to withdraw their consent at any time. Consent from a child will only be valid if authorised by a parent.
Appointment of Data Protection Officer (DPO): Certain organisations will be obligated to appoint a DPO, however voluntary appointments may also be made. The role of DPO is expected to be at an executive level and will assume responsibility for meeting the GDPR obligations.
In order to prepare your business for the introduction of the GDPR, you should consider the following steps:
For those currently compliant with the DPA who have proactive data protection policies, the updates needed are very achievable, and in any event, we recommend that you start undertaking the steps above as soon as possible.
Oury Clark can help in reviewing your current levels of compliance, assessing any vulnerabilities and drawing up an action plan to meet the GDPR. In particular we regularly assist in drafting and updating key documents and policies as well as providing training to staff to help ensure that you continue to meet your data protection obligations.
Should you require advice or assistance, then please contact Ben Robson at firstname.lastname@example.org or on +44 (0)207 067 4300.
Disclaimer: This note does not contain a full statement of the law and it does not constitute legal advice. Please seek legal advice if you have any questions about the information set out above.
Copyright © 2013 - Oury Clark.