By Employment and Privacy Law Partner, Carl Atkinson
On 25th May 2018, the General Data Protection Regulation (GDPR) will come into force in the UK. Implementing the biggest change to data protection law in a generation.
Non-compliant businesses are at risk of facing enforcement action that could potentially damage their public reputation and bank balance. The potential upper-limit for fines for non-compliance has increased to 20m Euro or 4% of annual global business turnover. This has re-emphasised the importance of data protection at an executive level.
Despite high-level media attention there is still widespread uncertainty about GDPR among businesses. Many have yet to adopt a clear plan to ensure they meet the requirements of the new legislation. For these businesses, the best cause of action will be to utilise the coming months to prioritise steps to update their data protection policies and strategies – increasing their overall awareness of the new legislation and what it will entail to ensure they comply with the new requirements. First steps may include ensuring key business stakeholders understand the need for change and have ‘bought in’ to the plans for compliance.
What will the GDPR entail?
- Geographical Scope – the GDPR will significantly expand the scope of the legislation. Businesses which process the personal data of residents of the EU will now be subject to compliance regardless of location. Consequently, software solution businesses located in the US and sub-contractor processors located in India may now be caught by the GDPR.
- The “death of implied consent” as a basis for processing – many businesses have historically relied upon the “consent” of the data subject as a basis for the processing of their data. The GDPR restricts the opportunity to reply upon consent. Under GDPR consent, it must be specific and informed, businesses cannot require consent in return for a service. For example, access to a pub or hotel “free WiFi”.
- Improved rights to privacy for data subjects –including the right to require businesses to delete personal data in certain circumstances and the right to terminate consent as a basis for processing.
- Data breach notification – under the GDPR businesses will be required to notify the Regulator of a significant data breach within a short time frame (likely to be 72 hours). Failure to do so may expose the business to enforcement.
- The appointment of data protection officers – businesses which are large scale processors may be required to appoint a data protection officer whose role will be to advise the business on relevant obligations under the GDPR and monitor compliance
All business stakeholders, whether compliant or not, must understand that GDPR is a fundamental development to existing data protection regimes. They should not assume that their present understanding or existing policies will be adequate to ensure compliance.
Initial steps to take to prepare you for GDPR
The starting point for most businesses will be to conduct a data audit. This is to understand what personal data they are holding in relation to EU residents, where it is held and what processing of that data they are undertaking. They should also consider whether they can justify the continued retention and processing of such data. One impact of GDPR will be to encourage change in the traditional commercial assumption that all personal data should be retained indefinitely.
Businesses may conclude that it be preferable to delete any personal data which they do not need for an on-going process. Many may find that they do not have the luxury of this discretion as the GDPR will allow individuals to terminate their consent to the processing of their data. Businesses with therefore require to delete their data from their systems. Businesses which do not understand what data they are holding and where it is stored prior to the launch will find it difficult complying with deletion requests.
How do you begin managing your data?
One of the first considerations for businesses will be to review (and almost inevitably amend) their privacy notices and any other information which they use to explain to individuals how they will use their personal data. Given the nature of the changes which will be imposed by the GDPR, it is highly unlikely that existing privacy notices will be adequate for the new legislation.
Next steps
Once these initial steps have been undertaken, businesses should be well placed to start implementing more significant compliance reviews. We will continue to set out a series of practical steps, which businesses can follow to maximise the chances of compliance with the new legislation. Over the next few months to prepare for the launch of the GDPR in May of this year.
If you have any further questions with regards to GDPR contact Carl Atkinson, Employment and Privacy Law Partner, who will provide more guidance where necessary.