New data protection rules: are you prepared?
Next year sees the introduction of stringent new rules governing the safeguarding of personal data, with a new
emphasis on transparency and accountability.
The new General Data
Protection Regulation
On 25 May 2018, the General Data
Protection Regulation (GDPR) will come into
effect, requiring all organisations that deal
with individuals living in an EU member state
to fully protect the personal information
belonging to those individuals, and to have
documented proof of such protection. The
UK’s decision to leave the EU will not affect
the introduction of the legislation in the UK.
The new GDPR requires a consistent and
transparent approach to data processing,
and the financial penalties for failing
to comply are severe – with fines of up
to
€
20m or up to 4% of total annual
worldwide turnover.
New requirements for
businesses
While the principles of the new GDPR
are broadly similar to the existing Data
Protection Act (DPA), there are some key
changes placing additional obligations on
businesses.
A fundamental new requirement of the
GDPR relates to accountability. Businesses
must be able to identify their lawful basis
for processing personal data, and document
this. The GDPR also prioritises the issue
of consent, requiring that an indication of
consent must be specific, unambiguous and
freely given.
Another principle central to the GDPR
is the concept of ‘data protection by
design and default’, by which firms build
in the necessary privacy and security
protections from the outset rather than as
an afterthought. In some circumstances,
businesses will be required to undertake a
Data Protection Impact Assessment.
The GDPR applies to both ‘controllers’ and
‘processors’ of personal data. Processors will
be specifically required to maintain records
of personal data and processing activities
and will have increased legal liability for
any breaches (including reporting certain
breaches), under the new laws.
Meanwhile, controllers will be under
additional obligations to ensure that their
contracts with processors are in compliance
with the GDPR.
New definitions of personal
data
Reflecting the significant growth in the
digital economy and changes to the way in
which information is collected, the GDPR
extends the DPA definition of ‘personal
data’ to cover a larger range of personal
identifiers, including online mechanisms
such as IP addresses.
‘Sensitive’ personal data, defined in the
GDPR as ‘special categories of personal
data’, has also been expanded to include
such categories as genetic data and
biometric data where this is used to identify
an individual person.
Preparing for the regulations
Businesses should take steps now to make
sure they are ready for the new legislation.
Some of the main areas for action
might include:
•
•
Making sure members of staff are aware
of the new regulations, and providing
ongoing training
•
•
Identifying the lawful basis for your data
processing activity
•
•
Reviewing and classifying the personal
data your business holds, its origins and
who you share it with
•
•
Creating an audit trail
•
•
Reviewing your procedures relating to
consent, requesting and documenting
fresh consents from customers where
necessary to ensure that your business is
seeking, collecting and managing consent
in line with the GDPR
•
•
Updating procedures to ensure they
cover the enhanced rights for individuals,
including the right to have data erased
and the right to data portability, as well
as new protection for children’s data and
the reduced 30 day deadline for subject
access requests
•
•
Reviewing your privacy notices
•
•
Adopting a principle of ‘data protection
by design’ for all future projects
•
•
Including procedures for identifying and
investigating data breaches
•
•
Assigning responsibility for data
protection to a key member of staff;
appointing a Data Protection Officer
(DPO) will be a legal requirement for
some organisations
•
•
Making sure that your data and processes
are regularly reviewed to ensure that they
remain compliant.
Further information and guidance can be
found on the Information Commissioner’s
Office website:
www.ico.org.uk.With new regulations approaching,
businesses are advised to review
their data privacy and security
practices, identifying areas of risk
and introducing robust processes
and controls, ahead of time.
This article is for general guidance only, and you are
always advised to consult an expert before taking
any action.