What is the GDPR?
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and will replace the existing UK Data Protection Act 1998 (DPA 1998). The GDPR is intended to strengthen and harmonise data protection laws across the EU. Despite ‘impending’ Brexit, the GDPR will come into effect in the UK and is likely to remain in force (in a substantially similar form) after Brexit under the auspices of the UK Data Protection Bill. It is therefore important for UK businesses to plan for the GDPR and begin implementing the necessary changes to business practices and procedures as early as possible to ensure compliance once the GDPR becomes effective.
The GDPR will apply to most businesses. If you obtain and hold personal information relating to any living individual, including your existing and prospective customers and employees, then the GDPR will apply to your business. One of the key changes brought about by the GDPR is that it imposes direct obligations to data processors as well as data controllers, whereas the DPA 1998 only applied to data controllers. This means that businesses that process personal data on behalf of others, e.g. HR and payroll providers and marketing agencies, must comply with the GDPR.
The GDPR definition of ‘personal data’ is wider than under the DPA 1998 and includes any information which either directly identifies an individual or which can be used to identify an individual. Such information includes traditional identifiers (such as names, dates of birth, and addresses) as well as online identifiers (such as IP addresses, device IDs and cookies).
The broad definition of personal data means that practically any data collected from or about individuals can be considered as personal data unless it is properly anonymised. There are specific rules regarding ‘sensitive personal data’ and criminal convictions. Most businesses will hold at least some personal data, whether it relates to their clients, employees or the contacts. It is crucial that businesses carry out an assessment of what information they hold and what changes, if any, should be made to ensure compliance with the GDPR.
The Information Commissioner’s Office (ICO) website (https://ico.org.uk/) has plenty of useful information and checklists to help business owners prepare for the implementation date.
The GDPR sets out different obligations on data controllers and processors and requires data controllers to include specified data protection obligations in any processing contracts. The GDPR also imposes a new obligation of ‘accountability’ which requires businesses to be able to demonstrate compliance with the GDPR. It is therefore not sufficient for businesses to simply ensure they comply with the data protection requirements; they must be able to show that they have relevant data protection policies and procedures in place, for example:
- Company-wide data protection policies (e.g. on handling personal information, obtaining valid consents, data retention and secure destruction of personal data) paired with staff training, audits of processing activities and reviews of HR policies;
- Data protection compliance programme and privacy governance structure; and
- Updated electronic systems that protect data by default by e.g. encrypting data.
In the event of a security breach which results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, there are new obligations to make a notification.
Where the breach is likely to result in a risk to the rights and freedoms of individuals, the GDPR requires notification of the breach to the ICO. If the breach is likely to result in a high risk to the rights and freedoms of individuals the GDPR requires you to notify the individuals affected.
The ICO has the power to award compensation to individuals and impose fines up to the equivalent of €20m or 4% of the worldwide turnover of the business who has breached the GDPR, although the ICO has indicated that fines will remain the last resort. The GDPR gives the ICO a suite of sanctions to help organisations comply, including warnings, reprimands and corrective orders. However, regardless of the sanctioning powers available to the ICO, a business that fails to comply with the GDPR puts itself at risk of reputational and professional damage.
The most important points to consider are:
- Accountability: Consider whether you need to appoint a specific person or a team who will be in charge of leading the compliance programme.
- Awareness: It is important to raise awareness throughout your business, including IT and data officers, the board, HR teams, senior managers and marketing and communications teams.
- Audit: You should carry out a mapping exercise, identifying what data you have, to whom it relates and where and how it is being held. This should involve an internal review and an IT review with your IT provider.
- Assess risks and opportunities: identify the key gaps revealed by your audit and assess the risks arising as a result. You may also identify opportunities to improve the quality of data and increase engagement by updating or removing outdated information.
- Consents: review how you seek, record and manage consent and whether you need to make any changes.
- Document your procedures: a legal review of your terms and conditions, material contracts, outsourcing arrangements and internal policies should identify any areas that require updating to ensure safe compliance with GDPR.
For further information or advice on GDPR compliance please get in touch with our experienced Commercial team on 0117 9733 989 or by emailing email@example.com.