As IT systems have developed over the years, governments have created legislation to safeguard the privacy of their citizens. The European Union’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, when it replaces the UK Data Protection Act 1998 (1998 DPA). As the deadline is fact approaching, compliance is not a matter of choice or a matter of just ticking a few boxes.
The new regulation consists of 173 Recitals and 99 articles. The articles form the wording and instruction of the regulations and the recitals provide clarification to their meaning. This regulation impacts anyone in or from the EU and so will apply to UK and other EU companies. The regulation automatically became incorporated in UK law as it was passed when the UK was still a member of the EU.
The GDPR is far more detailed and specific than the 1998 DPA in that it puts the onus on the data controller to make sure they have the correct permission before using the data. The rights given to consumers within this new regulation include the right to have their data deleted and the right to request that their information be changed if it is wrong. Data subjects will also have the right to request their data in a common format that would make it easy for them to pass on that information to another provider. This would need to be provided within 30 days. The requirement to present data in a common format may create challenges for many companies as they decide which format will be suitable.
So far, the main concern for companies has been the large revenue-based fines that have been set out for non-compliance with the new regulations imposing penalties of €20 million or 4 per cent of the company’s global annual turnover. With potential fines such as these it is important for businesses to put in place processes to enable them respond to and mitigate such risks.
In the recent case of Vidal-Hall v Google litigation, it was claimed that Google, though its use of internet ‘cookies’, misused the claimant’s private information by offering it to advertisers who used it to target advertisements which were displayed on the claimant’s computer screens. The claimant sought damages for distress and anxiety caused by the breaches. This right is also present in Article 82 of the GDPR which provides the right to compensation for both “material” and “non-material” damage caused by infringement.
As GDPR does not only affect the IT department but has an impact on the whole structure of the company, this discussion needs to be taken to the boardroom. With the average GDPR-readiness scoring at 4.1 out of 10, it is apparent that more work needs to be done. Here are some tips to help you get started:
Research what other organisations have done, particularly those in your sector
Build staff awareness – Team compliance and training will make the transition much smoother for the whole team
Check on your suppliers - Make sure that your suppliers or data processors are either already compliant or are making changes that will be effective by the deadline
Conduct a Data Inventory Exercise - Go through the companies process for collecting data step by step and you should start to see loopholes and areas which need to be reviewed in order to comply with the new regulations
It is not too late to start.
Just take it one step at a time and to your surprise you will become a GDPR expert!
For more information:
Solinda Nyamutumbu is a legal intern at Pure Business Law. She is an LLB Graduate from The University of West England as of July 2017 and began her LPC/MSc course at The University of Law (Bloomsbury) in September 2017 as a part-time student. She has greatly enjoyed the varied and in-depth commercial experience which she is gaining during her internship at Pure Business Law.