Table of Contents Table of Contents
Previous Page  2 / 4 Next Page
Information
Show Menu
Previous Page 2 / 4 Next Page
Page Background

New data protection rules: are you prepared?

Next year sees the introduction of stringent new rules governing the safeguarding of personal data, with a new

emphasis on transparency and accountability.

The new General Data

Protection Regulation

On 25 May 2018, the General Data

Protection Regulation (GDPR) will come into

effect, requiring all organisations that deal

with individuals living in an EU member state

to fully protect the personal information

belonging to those individuals, and to have

documented proof of such protection. The

UK’s decision to leave the EU will not affect

the introduction of the legislation in the UK.

The new GDPR requires a consistent and

transparent approach to data processing,

and the financial penalties for failing

to comply are severe – with fines of up

to

20m or up to 4% of total annual

worldwide turnover.

New requirements for

businesses

While the principles of the new GDPR

are broadly similar to the existing Data

Protection Act (DPA), there are some key

changes placing additional obligations on

businesses.

A fundamental new requirement of the

GDPR relates to accountability. Businesses

must be able to identify their lawful basis

for processing personal data, and document

this. The GDPR also prioritises the issue

of consent, requiring that an indication of

consent must be specific, unambiguous and

freely given.

Another principle central to the GDPR

is the concept of ‘data protection by

design and default’, by which firms build

in the necessary privacy and security

protections from the outset rather than as

an afterthought. In some circumstances,

businesses will be required to undertake a

Data Protection Impact Assessment.

The GDPR applies to both ‘controllers’ and

‘processors’ of personal data. Processors will

be specifically required to maintain records

of personal data and processing activities

and will have increased legal liability for

any breaches (including reporting certain

breaches), under the new laws.

Meanwhile, controllers will be under

additional obligations to ensure that their

contracts with processors are in compliance

with the GDPR.

New definitions of personal

data

Reflecting the significant growth in the

digital economy and changes to the way in

which information is collected, the GDPR

extends the DPA definition of ‘personal

data’ to cover a larger range of personal

identifiers, including online mechanisms

such as IP addresses.

‘Sensitive’ personal data, defined in the

GDPR as ‘special categories of personal

data’, has also been expanded to include

such categories as genetic data and

biometric data where this is used to identify

an individual person.

Preparing for the regulations

Businesses should take steps now to make

sure they are ready for the new legislation.

Some of the main areas for action

might include:

Making sure members of staff are aware

of the new regulations, and providing

ongoing training

Identifying the lawful basis for your data

processing activity

Reviewing and classifying the personal

data your business holds, its origins and

who you share it with

Creating an audit trail

Reviewing your procedures relating to

consent, requesting and documenting

fresh consents from customers where

necessary to ensure that your business is

seeking, collecting and managing consent

in line with the GDPR

Updating procedures to ensure they

cover the enhanced rights for individuals,

including the right to have data erased

and the right to data portability, as well

as new protection for children’s data and

the reduced 30 day deadline for subject

access requests

Reviewing your privacy notices

Adopting a principle of ‘data protection

by design’ for all future projects

Including procedures for identifying and

investigating data breaches

Assigning responsibility for data

protection to a key member of staff;

appointing a Data Protection Officer

(DPO) will be a legal requirement for

some organisations

Making sure that your data and processes

are regularly reviewed to ensure that they

remain compliant.

Further information and guidance can be

found on the Information Commissioner’s

Office website:

www.ico.org.uk.

With new regulations approaching,

businesses are advised to review

their data privacy and security

practices, identifying areas of risk

and introducing robust processes

and controls, ahead of time.

This article is for general guidance only, and you are

always advised to consult an expert before taking

any action.

1 2 3 4  FlippingBook