Are you aware of the introduction of the EU’s General Data Protection Regulation (“GDPR”) which is set to come into force on 25th May? If not, why not! The GDPR is one of the most pervasive pieces of EU law that has been introduced for years and there is no question that it is going to affect all businesses no matter how large or small they may be.
GDPR – What is it?
In short, the GDPR is an updated version of the Data Protection Directive and will introduce and expand upon data protection laws throughout the European Union. Advances in technology and changes to the way in which we communicate and share information have led to the need to modernise the law surrounding data protection and that is exactly what the GDPR will do.
The GDPR is EU legislation and will be implemented in the UK by the Data Protection Bill 2017 – as a result of this, Brexit is unlikely to have any impact and the GDPR will still directly apply to all businesses that work within the EU.
GDPR’s Overarching Principles
Personal data must be:
- Lawfully and fairly processed in a transparent manner;
- Collected for specific, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed;
- Accurate and up-to-date;
- Kept in a form permitting identification of the data subject and for no longer than necessary for the purpose for which it is processed; and
- Processed in a manner that ensures security.
What has changed?
Amongst others, there are the following changes:
- Expansion of the definitions of:
- “Personal data”; and
- “Sensitive personal data”
which means that more data will fall in the scope of the data protection laws;
- Increased emphasis on data transparency and accountability. Records must be kept up-to-date on stored data including how it was obtained and how it has been processed;
- It has been made harder for businesses to rely on consent to process personal data;
- Enhanced rights for individuals, including rights to:
- Be forgotten;
- Object to the processing of personal data;
- Receive certain information regarding the collection and processing of their personal data;
- Correct inaccurate information; and
- Transfer their data to another ‘Data Controller’;
- Responses to data subject access requests must be made in 1 month (as opposed to the current 40 days) and no fee shall (normally) be payable;
- Increased responsibilities for notifying data subjects and the ICO of any breaches; and
- Both data controllers (entities who decide on how to process the data) and processors (entities who process the data) can now be held liable under the GDPR.
Don’t comply? Pay the price!
The GDPR leaves regulation in the hands of each member states regulating authority. In the UK, the Information Commissioner’s Office (“ICO”) has been tasked with ensuring that businesses comply with the GDPR.
In contrast to the previous laws, the ICO has increased powers and can impose substantial financial penalties, including:
- The maximum penalty for the most serious offences could be the greater of 20 million euros or 4% of annual turnover; and
- The maximum penalty for less serious offences could be the greater of 10 million euros or 2% of annual turnover.
Are you covered?
There are a lot of changes made by the GDPR and it is no small task to ensure compliance before 25th May. The GDPR is going to require a full evaluation of both the law and your business.
We’ve produced a non-exhaustive checklist to get you started, can you tick all the boxes? Have you:
- Undertook an audit of personal data that is processed and all processing activities;
- Ensured privacy notices and policies are updated and GDPR compliant;
- Ensured staff GDPR training is in place and training records are taken (regular refreshers are recommended as GDPR compliance is an ongoing process);
- Carried out Data Protection Impact Assessments for high-risk data processing activities;
- Ensured that records of personal data and consents are being kept, and put
- Policies are in place for breach management and reporting?
Brabners can help
How? Well, we can:
- Undertake an audit to ensure all your documents are GDPR compliant;
- Train your staff on GDPR;
- Prepare and/or review your privacy notices including your website, employee and client privacy notices;
- Draft and/or review data processing and data sharing agreements; and
- Carry out legitimate interest assessments.
Brabners also have a FREE audit matrix to help you organise your data. If you would like to make use of it, please contact Robert Gambles (Robert.Gambles@brabners.com) to gain access.