The EU General Data Protection Regulation (GDPR) is, according to the EU, the most important change in data protection privacy regulation in 20 years. In the UK, these rules will replace the Data Protection Act ('DPA') and will deal with the secure collection, storage and usage of clients’ personal data.
These regulations, summarised in our previous post EU General Data Protection Regulation apply to all businesses in the EU and are are designed to safeguard the personal data of citizens from EU member states with non-compliance potentially leading to substantial fines
However, despite the wide ranging and obvious importance of this legislation and its related effects, many businesses do not have a plan in place in order to deal with the regulations and more concerning still, many are not even aware of the regulations or their far reaching impact.
Some of the key requirements of GDPR are:
- Businesses with over 250 employees must assign a Data Protection Officer (DPO) who will be responsible for ensuring that the business is collecting and storing personal data responsibly;
- Any breaches of data must be immediately reported to the Information Commissioner’s Office (ICO) within at least 72 hours;
- Clients reserve the 'right to be forgotten' and may withdraw their consent of use of their personal data at any time;
- The response timeframe for businesses to respond to Subject Access Requests (SAR) will be reduced to 30 days.
Business Impact & Related Actions
The effect of GDPR is wide ranging, with many actions required to be fulfilled in order to remain compliant, including:
- Businesses must understand and record all personal data held as a business, how it was captured, how it is held, how it is used etc. The definition of personal data is wide ranging;
- Consideration will be required where businesses rely on a data subject’s consent to process their personal data. Requests for consent cannot be hidden in small print and should be unambiguous and the ability for business to prove where and how they obtained a subject matter’s consent will be important;
- Encryption of data is widely recommended for security purposes;
- Appropriate processes should be in place so that data subjects rights can be attended to within the 30 day response time referenced above;
- Businesses and their relevant employees must be clear on what constitutes a data breach and appropriate measures should be implemented for dealing with any breaches that occur;
- Where suppliers or other third parties process data on behalf of a business, the terms and conditions of contracts with those third parties should be reviewed. Certain mandatory clauses exist and which should be implemented where suppliers process personal data on behalf of a business;
- All customer privacy notices must be easily accessible and their content must follow the specified guidelines;
- A documented risk assessment is required to evidence compliance with the GDPR;
- An assessment will be required to determine whether a data protection compliance officer who will be responsible for ensuring that the business is collecting and storing personal data responsibly. Businesses with under 250 employees are generally exempted from this requirement;
- It should be noted that clients reserve the right to be forgotten and may withdraw their consent of use of their personal data at any time.
Failure to Comply
Failure to comply with the GDPR may have serious consequences including reputational damage, regulatory investigations and fines. For the most serious of breaches, fines could be up to 4% of a company’s global turnover for the previous year or €20m (whichever is the larger). For failures of an administrative nature, fines may be up to 2% of turnover or €10m (again, whichever is the larger).
As the clock rapidly ticks down to the 25 May 2018 implementation date, it is clear that all effected business should be ensuring that their data protection policies and procedures are in line with the requirements under GDPR.