The impending introduction of the General Data Protection Regulation (GDPR) in May next year will not come as a revelation to most people. It is the biggest overhaul in data protection law in almost two decades, since the introduction of the Data Protection Act (DPA) in 1998.
The UK Government recently released a statement of intent , which indicates how the GDPR will continue to apply in the UK post-Brexit. It's important to know how this will affect you and your business and what you need to be doing between now and the 25 May to be GDPR ready.
Who will be affected by the GDPR?
The GDPR applies to the use of personal data both in electronic and hard copy. The personal data you use may be customer details, employee information or may relate to those who you do business with. It will therefore affect all businesses, regardless of your size or what you do; all businesses will hold some form of personal data.
What do you need to know about the GDPR?
If you're already familiar with the DPA, many aspects of the GDPR will be familiar to you. The framework and concepts will essentially remain the same but with a greater emphasis on:
It will no longer be enough to just be compliant with data protection legislation; you will need to document essential information about your use of that personal data. For example, you need to record how you've reached decisions, how you've applied data protection principles to your use of personal data and your legal basis for using the personal data. Basically, it's no longer enough just to comply; you have to show your workings (think GCSE maths).
Your organisation will need to have appropriate security provisions in place to protect personal data. What amounts to 'appropriate security provisions' will vary from business to business depending on what you do with personal data but it's likely to include some form of protection from cyber-attacks and being able to recover data which is lost or deleted.
One of the key themes of the GDPR is that processing of data must be transparent. In order for the processing of personal data to be transparent, you need to tell people what information you hold about them, for what purpose you hold it and what you're planning on doing with it (amongst other things). You will normally be required to provide this information when you collect personal data and it will typically be provided in a 'privacy notice'.
The GDPR lists six different bases for legally using personal data. To lawfully use personal data, you need to make sure that one of those lawful bases applies to your use. One such lawful basis is where an individual has provided you with their consent to use their personal data for a specific purpose.
Following the introduction of the GDPR, there will be a higher burden on organisations relying on consent. For example, opt-out or pre-ticked boxes will no longer be a valid form of consent; individuals must have to take affirmative action in order to provide consent. Any consent that doesn’t meet the standards of the GDPR will need to be refreshed. It's always worth remembering that consent is only one legal basis for processing personal data; there are another five which may be more appropriate to use.
All organisations will need to have a greater understanding of the data they hold, why it is held and the length of time it is to be held for. Therefore, the biggest change likely to flow from the introduction of the GDPR will be the attitude of many organisations to how they process personal data.
What are the risks of non-compliance?
The GDPR represents a significant shift towards giving individuals control over their own data.
From May, individuals will have powerful new rights in relation to their data, such as an enhanced 'right to be forgotten', making it much easier for individuals to insist their data is deleted in certain situations.
There will also be an enhanced right of subject access, which will be subject to fewer conditions and the ability to request more extensive information. Organisations will only have one month to respond, as opposed to the current 40 days, and will lose the ability to charge a fee.
If the Information Commissioner's Office (ICO) becomes aware of non-compliance, either through a complaint from an individual or a data breach, it will have new powers to impose much higher sanctions.
Currently, the ICO can impose fines of up to £500,000 but under the GDPR, this will increase to £17m or 4% of global turnover (whichever is higher). This seems to have struck fear into the heart of many organisations, who are worried that they may face massive fines which could put them out of business.
The Government has recently confirmed its support for the increased sanctions. However, the ICO has sought to reassure businesses that although it will have the power to impose bigger fines, the issuing of fines will continue to be a last resort and, comfortingly, it won't be using this power to make early examples of organisations for minor infringements.
To prove its point, the ICO, in one of its recent GDPR myth-busting blog posts , published its record for issuing fines over the last year – of the 17,300 cases it concluded, only 16 of them resulted in fines; this is less than 0.1%.
However, it's certainly best to err on the side of caution as the ICO has traditionally taken a dim view on those organisations who don’t take data protection seriously.
What should you be doing to prepare for the GDPR?
There are a number of things you and your business could be doing to be ready for May next year, including:
- Auditing current data protection protocols and compliance within your organisation.
- Updating policies and procedures to reflect the principles set out in the GDPR.
- Training staff and promoting a culture of compliance within your business.
- Updating any privacy notices to include such information as data retention periods and legal grounds for processing.
- Start thinking clearly about how you're delivering information to people and the level of comprehension of the age groups you're delivering the information to – is it clear and in simple terms? Would it be easily understood by the target age groups?
- Reviewing contracts, such as employment and supplier contracts, and considering how the data protection clauses may need to be updated to reflect the new GDPR principles.
- Determining whether you're required to appoint a data protection officer, or whether it would be beneficial to voluntarily appoint one, and who this might be.
All seems a little overwhelming? If you would like any advice or assistance in relation to the GDPR, or information law in general, contact Bevan Brittan's specialist Information Law team.
About the author
Lauren Danks works as a solicitor at Bevan Brittan LLP, specialising in information law and cyber security.