The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will apply to EU organisations and any company offering goods, services or marketing to EU citizens. The new rules will build upon current privacy regimes including the Data Protection Act 1998 and aims to strengthen an individual’s right with regard to their personal data.
Data protection is no longer a tick-box compliance task, with an increasing number of companies finding their way into the mainstream media due to data breaches. Such exposure can damage reputation.
The driver behind the GDPR is to create a culture change where organisations are forced to think about how they would want their own personal information processed and to adopt this attitude when handling customer, employee and other personal data. The GDPR introduces a principle of accountability as a freestanding principle, requiring businesses to take a more proactive and answerable approach towards compliance.
Whilst many of the GDPR’s main concepts are the same as the existing Data Protection Act, there are new elements and significant enhancements, so there will be new principles that businesses will have to grapple with for the first time.
Any business which is in breach of the new GDPR could face significant fines of up to €20m or 4% of the organisation’s global annual turnover, whichever is higher.
Preparing for the GDPR
Businesses can start planning for the implementation of the GDPR by following these top tips:
- Understand that the GDPR will significantly change data protection law in the UK when it comes into force.
- Ensure that the senior management team in your business understand the sanctions under the GDPR. Obtain external training for GDPR awareness and compliance at a senior level.
- Document what personal data you hold, where it came from and who you share it with. You may want to organise an information audit across your business.
- Review your current privacy notices and identify high risk areas in existing data processing – under the GDPR there will be some additional things you will have to expose such as explaining the lawful basis for processing data.
- Be aware of changes to obtaining consent to process employee data and a greater focus on the legal basis for processing data. You should review how you seek, record and manage consent and whether you need to make any changes.
- You should check your procedures to ensure they cover all the rights individuals have. On the whole, the rights individuals have under the GDPR are the same as those under the existing Data Protection Act so if your procedures are in place now, the switch should be relatively easy.
- There will be new record keeping obligations for employers to demonstrate compliance with GDPR requirements. Ensure that your business has transparent internal data protection policies which are endorsed by the senior management team.
- Your business may establish a GDPR compliance member or team to implement and coordinate a compliance plan.
- If your business operates in more than one EU member state, you should determine your lead data protection authority – this will be in the country where your head office/main business premises are.
- Begin to develop a timeline to implement GDPR compliance. The GDPR will become law on 25 May 2018 and this is a hard deadline, your business will need to be compliant from day one.
The GDPR and Brexit
Brexit isn’t going to save you! The UK will still be a member of the EU when the GDPR comes into force on 25 May 2018 and the Government intends to implement it.
Even after the UK exits from the EU, the GDPR will still apply to organisations established in the EU and organisations established outside the EU but that process personal data of individuals in the EU to offer goods or services or monitor the behaviours of individuals.
It is also likely that the UK will seek to maintain data protection legislation similar to the GDPR after leaving the EU.
If you require any advice on the new GDPR please contact Joanne Holborn, Tom Scaife or Caroline Rayner on 01228 552600/01524 548494.