Are you a start-up, a business, a charity or a public corporation? Are you a “controller” or “processor” of personal data? Does your business have a client database? Do you sell products or services overseas? Do you have a list of email address contacts for business purposes? if so, you need to start preparing for the GDPR (General Data Protection Regulation).
What is the GDPR?
The GDPR is Europe’ s new framework for the data protection laws. It comes into effect on 25 May 2018 and will replace the 1995 EU Data Protection directive upon which our current Data Protection Act 1988 is based. The legislation is designed to harmonise data privacy laws across Europe, give greater rights and protection to individuals as well as impose tougher rules on individuals, organisations, public bodies and companies that handle data i.e. “controllers” or “processors” of personal data.
The United Kingdom’s new data protection legislation which will implement the GDPR was published on 14 September 2017. The bill is currently going through the House of Commons and the House of Lords.
What is personal data?
Personal data means any information that can be used to identify a living individual. This can be a name, date of birth, telephone number, IP address etc.
What are the main changes?
1. Companies covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and keeping documents on how you process data.
2. A company with more than 250 employees must have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long its being kept for and descriptions of the security measures in place.
3. Companies that have “regular and systematic monitoring “of individuals on a large scale or which process a lot of sensitive personal data have to employ a data protection officer (DPO) who has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers.
4. Businesses must obtain consent from customers to process data in some situations. When an organisation is relying on such consent there has to be a “positive opt-in” by the customer. Pre-ticked opt-in boxes are not indications of valid consent.
5. Consent for children must be given by the child’s parent or guardian and must be verifiable.
6. The new law provides five other ways of processing data that may be more appropriate than consent e.g. Legitimate interest, compliance with a legal obligation, to enable performance of a contract, protection of the vital interests of a data subject or other person and performance of a task in the public interest. Whichever basis you use, you need to document your decisions to be able to demonstrate to the ICO which lawful basis you have used.
7. Individuals will now have a lot more power to access the information that is held about them. The current Subject Access Request (SAR) fee of £10 under the current regulations will be scrapped under the GDPR and requests for personal information can be made free-of-charge.
8. When someone asks a business for their data, the business must provide the information within one month.
9. The GDPR also gives individuals the right to get their personal data erased in some circumstances. This would apply if consent is withdrawn, it is no longer necessary for the purpose it was collected, the information was unlawfully processed or there is no legitimate interest.
10.Any data breach must be notified to the Supervisory Authority (ie the ICO) within 72 hours after having become aware of the data breach.
11.Individuals must be notified if an adverse impact is determined.
12.The data processor or controller does not have to notify the data subjects if anonymised data is breached.
13.GDPR fines: The legislation also introduces the following sanctions
(a) a warning in writing in cases of first and non-intentional non-compliance.
(b) regular periodic data protection audits and
(c) the power to fine businesses for non-compliance. So, if a business does not process a person’s data correctly, it can be fined. If a business does not have a Data protection officer when it should have one it can be fined. If the business commits a security breach it can be fined. The fines will be decided upon by the ICO’s office. The GDPR sates that smaller offences could result in fines of 10 million Euros or two percent of a firm’s global turnover whichever is greater. More serious offences can result in fines of up to 20 million Euros or four percent of a firm’s global turnover whichever is the greater. These sums are larger than the £500,000 penalty currently levied by the ICO. The ICO have said that their primary intention is to work with businesses and other organisations to ensure compliance and that fines will not be imposed heavy-handedly.
Who will enforce it in the UK?
The Information Commissioner’s Office.
What about Brexit?
The GDPR takes effect on 25 May 2018 and Brexit is due to happen in the Spring of 2019. The GDPR will be law before the UK leaves the EU. After Brexit the GDPR provisions will be retained in UK law.
How can I prepare my business for the GDPR?
To help businesses prepare for the GDPR, the ICO has created a 12-step guide available here:
This guide covers steps that a business should take such as ensuring that decision makers and key people in the organisation are aware of the changes, the carrying out of information audits, reviewing current privacy notices, consent documentation etc, the checking and updating of current procedures and the designation of a DPO as appropriate.
And remember, if you need advice on the GDPR or any business matter that is bothering you, call us on telephone nos 01234 834620/01234 83462 or contact Eve Jarrett at e.jarrett@purebusinesslaw.co.uk.