Almost two months on since the implementation of the General Data Protection Regulation (GDPR), and three weeks on from Hybrid’s GDPR breakfast briefing, all the new information and changes required may seem overwhelming for small businesses to understand how they need to comply with the GDPR. This article aims to simply explain some of the key changes to data protection legislation moving forward, and how your business can ensure compliance.
Some key changes from the Data Protection Act 1998:
Increased Rights for Data Subjects
Individuals have increased rights under the GDPR, which carry with them further obligations on businesses holding the individuals’ personal data. These include the right for individuals to access, rectify and erase their data completely (in certain instances) and restrict the processing of their personal data.
Due to the nature of these rights, businesses must comply with related requests from data subjects within one month (as opposed to forty days, under the Data Protection Act 1998) and, in most instances, at no cost. Therefore, the ability for organisations to charge individuals for subject access requests under the previous legislation is no longer enforceable.
A key change from the Data Protection Act 1998 is the extended jurisdiction of the GDPR. The GDPR applies to companies processing data of individuals who are European Union residents, regardless of where the organisation is located. Therefore, organisations located outside of the EU will be held accountable under the GDPR if they offer goods or services to EU citizens.
The Data Protection Officer
If your organisation is a public authority or carries out certain processing activities, you are now required to appoint a Data Protection Officer (DPO). This role can be performed by an existing/new employee or an external service provider, as long as the individual/provider has expert knowledge regarding data protection and their existing duties (if they are an employee) will not bring them into conflict with their duties as a DPO.
A DPO will advise your organisation on your obligations to protect data and assist monitoring to ensure overall compliance with the GDPR. A DPO will be the first point of contact for data subjects and supervisory authorities; the individual must be given independence to perform their tasks and the ability to report directly to the highest level of management in your business. It is essential that organisations check whether it is necessary to appoint a DPO.
Breach of the GDPR and its Implications
Under the GDPR, organisations are required to report any data protection breach within 72 hours of becoming aware of the breach, where it is likely to result in a risk to the rights and freedoms of the individuals in question. The breach must be reported to the affected individual(s) and relevant authority, which is the Information Commissioner’s Office in the UK. Any late notification made to the relevant authority must be accompanied by reasons for the delay.
The sanctions for breach are more severe under the GDPR, making the consequences of breach much more detrimental to an organisation’s cash flow. Under the GDPR, the fines have increased to either 4% of an organisations’ annual turnover or €20million – whichever is the greater amount.
The Next Steps for your Business
Almost two months have passed since the implementation date of the GDPR, therefore businesses should now be compliant with, or working towards compliance with, the GDPR. It is essential that organisations familiarise themselves with the new requirements under the GDPR and ensure they build on their existing data protection processes to reach these higher standards.
If you’d like more information about the GDPR, its impact on your business and the services we provide for businesses regarding compliance with the legislation, please contact us.
Jonathan graduated in LLB law from the University of the West of England in 2012. He then completed the Legal Practice Course in 2013 before working with some of Southampton’s top law firms.