- General Data Protection Regulation (GDPR) - An Overview
Partner Debbie Brett, in our Commercial & Regulatory team, outlines General Data Protection Regulation (GDPR) and its implications.
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and is intended to harmonise European data protection laws, which makes it easier for EU citizens to understand how their data is being processed and raise any complaints.
The new regulations provide many businesses with a great opportunity to re-evaluate how they approach data protection and implement substantial technical changes to avoid potential substantial penalties.
Why is the GDPR needed?
Storing data is no longer as simple as it once was. We no longer store all data in one structured database and given the complex way that many individuals and companies store data now (emails, photos, social media, cloud storage, etc.), legislation has need to be updated to manage how this data is processed.
Given that information now becomes available across the world instantaneously and no longer respects national boundaries, it has become necessary to develop EU wide legislation.
Who will the GDPR apply to?
The GDPR will apply to any business, whether established inside or outside the EU, which offers goods and services to EU citizens or monitors their behaviour. With Brexit looming over the United Kingdom, please be aware that the GDPR will still apply post Brexit.
Data Protection Act 1998 (DPA) vs GDPR
The GDPR retains the core rules and principles of the DPA regarding the processing of personal data including the following existing rights:
- of individuals to access their own personal data;
- of objecting to direct marketing; and
- allowing individuals to rectify inaccurate date;
- appointment of Data Protection Officer (DPO) - Certain organisations will be obligated to appoint a DPO who is expected to be at an executive level and will assume responsibility for meeting the GDPR obligations.
- financial penalties - Companies can now receive fines which may be levied to the higher of €20 million or 4% of annual worldwide turnover for data breaches. Individuals can also claim compensation from organisations for financial loss or distress suffered.
- accountability and reporting duties - Companies will now need to keep accurate records to demonstrate that they comply with the GDPR. The extent of records will depend on a number of factors including:
- The size of the company
- The sensitivity of the data being transferred and
- The level of risk relating to the type of data being transferred
- companies will need to report any security breaches to the affected individuals without delay and to their regulator (the Information Commissioner’s Office for companies in the UK) within 72 hours.
The new legislation has become more difficult to obtain valid consent to process sensitive personal data from individuals. The individual must be able to withdraw their consent at any time.
A child will not be able to consent unless authorised by a parent.
Steps to take now
In order to prepare for the GDPR, businesses should consider taking the following steps:
- Identify key data that needs to be protected and understand the possible risks of storing that data
- Evaluate who has access to this data
- Create suitable policies that enable the company to protect its data and to ensure its security
- Ensure high default privacy settings are built into new company processes to prevent any data breaches
- Appoint a Data Protection Officer if required
For those currently compliant with the DPA who have proactive data protection policies, the updates needed are very achievable, and in any event, we recommend that businesses start undertaking the steps above as soon as possible.
Blandy & Blandy LLP can help in reviewing businesses' current levels of compliance, assessing any vulnerabilities and drawing up an action plan to meet the GDPR. In particular, we regularly assist in drafting and updating key documents and policies as well as providing training to staff to help ensure that clients continue to meet data protection obligations.
This blog article was produced with support from Joshua Casey.
This article is intended for the use of clients and other interested parties. The information contained in it is believed to be correct at the date of publication, but it is necessarily of a brief and general nature and should not be relied upon as a substitute for specific professional advice.