You’ve heard about it in the news and your inbox is brimming with invitations to webinars on the dreaded acronym, but when it comes to the nitty gritty, what precisely is the General Data Protection Regulation (GDPR) and what are the essentials your business needs to know about?
The GDPR comes into force on the 25 May 2018 and your business needs to be able to demonstrate compliance by this date.
You will need to review your current data processing practices and identify how to plug any gaps where you are not yet complying with the new standards. Much of the GDPR builds on existing data protection rules contained in the Data Protection Act 1998, though data subjects gain a plethora of rights in relation to the control they have over the data businesses hold about them.
Below is a broad overview of what the GDPR covers and the considerations your business needs to start acting upon, to ensure you are prepared for the GDPR’s entry into force.
- Consent and Transparency
- Individuals’ Rights
- Data Protection Officer
- Transfer of Data
- Breach Notification
The GDPR sets out stricter conditions for allowing businesses to use and process personal data. Businesses need to establish the legal basis they rely on for obtaining and processing personal data, such as the legitimate interest of the business in carrying out a contract. In many circumstances, if a business wishes to retain data after the conclusion of carrying out services with a client or wishes to market to them, the business will need to obtain the express consent from the individual to do so.
The GDPR sets out different rights that individuals have regarding the use and storage of their personal data. When an individual exercises any of the following rights, businesses must comply within one month (unless it is a complex request) and perform the service free of charge. This is a change from the existing rules in the UK under the Data Protection Act, where businesses currently have 40 days to respond to any subject access request and may charge £10.
- Right of Access and Rectification – this means individuals can request a copy of the data businesses hold about them. They can also request to rectify this data if it is inaccurate.
- Right of Erasure – this means individuals can request that all the data the business holds about them is deleted.
- Right to Restrict Processing – this means that individuals can request the processing of their data is blocked and they may request that their data is kept separately.
- Right to Data Portability – this means individuals can request a secure transfer of their data from one business to another.
- Right to Object – This means individuals have the right to object to direct marketing, including profiling.
- Rights related to Automated Decision Making and Profiling – This means that where a decision is being made about an individual through automated means, individuals can request an explanation as to why that means is used and to request human intervention if they believe a human would come to a different conclusion.
Under the GDPR, it is compulsory for businesses to appoint a Data Protection Officer where they handle large scale processing of personal data or any special categories of personal data such as genetic or medical history data. Nonetheless, under the Data Protection Bill, which is the legislation in the UK which will encompass the GDPR provisions, it will be compulsory for all businesses to appoint a member of staff to ensure the GDPR requirements are consistently adhered to.
Data Protection Impact Assessments (DPIA) ought to be carried out so that businesses might assess the risks associated with processing data in new ways, such as using other companies or new technologies. It is important to establish the relevant documentation to show that you regularly audit your data protection practices and record your data processing activities.
You will need to gain a comprehensive understanding of the data you process including what data you collect, how it is collected and how consent is obtained. You should also assess your existing processes, such as deleting data you no longer need, to ensure that these are adequate to meet the new data protection standards.
The GDPR stipulates that any citizens of the European Union should not have their data transferred outside of the EU unless the transfer is to a state with safeguards recognised to be of the same standard as those required by the Regulation.
Businesses should therefore determine where the data processors they use transfer data and establish what steps these businesses are taking to ensure their compliance with the GDPR. If the business is using a data processor who are US based, they should determine if the processor has signed up to the Privacy Shield Framework Agreement.
Any breach of the GDPR must be reported to the relevant authority within 72 hours of the company acquiring the knowledge, where the breach is likely to result in a high risk to the rights and freedoms of data subjects – either individually or as a group. Businesses should also notify the data subjects affected. In the UK, the relevant authority is the Information Commissioner’s Office (ICO) and we would urge you to visit their website for further guidance.
It is very important that everyone in your business is aware of the GDPR and its impact on the business.
In a groundbreaking ruling in December, the High Court found Morrisons to be vicariously liable for the actions of one of their internal auditors who released the personal details of over 100,000 Morrisons’ employees as part of a revenge campaign against the supermarket. The rogue employee had committed the data breach out of work hours from his personal computer, despite this, the court found that Morrisons, as his employer were vicariously liable.
The test for vicarious liability is a “close connection test” meaning that if the act is closely connected to the work that the employee was employed to do, then the employer will be liable for the employee’s act. The ruling may seem unfair but businesses would be wise to heed this recent case as a warning of the importance of training and educating all staff on the new data protection rules, as should an employee accidentally disclose personal information or compromise such data, the business will almost always be liable.
We are living in a data dependent world and the GDPR has come into being to give consistency to data protection rules, give individuals greater control over the data businesses hold about them and encourage businesses to shake off a lax attitude to data protection.
With potential fines of up to €20,000,000 or 4% of a business’ annual turnover for non-compliance, the GDPR is to be taken seriously.GDPR poses an operational challenge for all businesses and May is fast approaching.
That being said, the acronym GDPR should not be synonymous with panic.
Achieving compliance is manageable with a sensible approach and most businesses will find their existing processes and procedures will set them firmly on the road to compliance already. Very few businesses should find themselves starting from scratch.
There is no quick fix solution, but assessing and building upon your existing data processing infrastructure will lead to palpable results and presents a valuable opportunity for business owners to gain a comprehensive understanding of how they use and dispose of information and ultimately establish responsible business practice.
If you’d like to learn more about the GDPR and our services for businesses regarding compliance with the legislation, please get in touch. We’d love to hear from you.