An Introduction To GDPR
With the implementation of the GDPR (General Data Protection Regulation) fast approaching, we have produced a series of articles which will set out key elements of the new regulation in bite-size detail.
This first instalment answers some frequently asked questions and provides some brief insight into the background behind the new regulation.
What is the GDPR?
The GDPR will take effect from Friday 25 May 2018 (replacing the Data Protection Act 1998) and will establish standardised laws across the European Union (EU) protecting the data privacy rights of EU citizens.
Why has the GDPR been introduced?
There are two strands to this answer:
Many organisations operating across the EU have grown frustrated by an increasing lack of cohesion between the member states despite the fact that data is increasingly able to flow without boundaries. The GDPR is therefore designed to harmonise national data protection laws across the EU by introducing a single legal framework across all EU member states.
Due to the speed of technological advancement, coupled with the fact that we now live in such a data-driven world it is obvious that the current data protection laws are overdue an upgrade of their own in order to of bring them up to date to cover the various advancements in technology as well as the ever-increasing prevalence of big data and of course, crucially, to protect the personal data of individual citizens.
The GDPR will therefore bring existing legislation up to date and offer greater protection to individuals, whilst placing more stringent obligations upon the businesses that collect, store and process our information.
What are the ‘rights of individuals’?
The GDPR includes the following rights for individuals:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The rights to object; and
- The right not to be subject to automated decision-making (including profiling).
When will it take effect?
The GDPR takes effect on Friday 25 May 2018.
Will Brexit affect GDPR?
No. The government has confirmed that the GDPR will still apply to UK-based businesses despite Brexit.
What are the penalties for non-compliance?
A non-compliant business can expect a significant financial penalty. The maximum fine which can be imposed upon a non-compliant business under the GDPR for a fundamental breach is the greater of 20 million Euros or 4% of group worldwide turnover.
Other prescribed infringements of the regulation could attract a fine of the greater of 10 million Euros or 2% of group worldwide turnover.
To put that into perspective; the current maximum fine for a non-compliant business under the DPA is £500,000.
I operate a small business, will I still need to comply?
Absolutely. The GDPR will apply to all businesses across the spectrum and non-compliance is simply not an option, regardless of business size. In fact, many small business owners might be surprised at the level of potential fines levied at those who do not comply with the new regulation.
What should I be doing now to prepare for the implementation of the GDPR?
Don’t panic. For most well run businesses with up to date data protection provisions and processes in place, the transition should be relatively painless. There are however some specific areas which will need to be reviewed to ensure compliance, such as:
- Awareness: make sure that your organisation is aware that the law is changing and how this is likely to impact current data protection procedures.
- Information currently held: conduct an information audit - document what personal information your organisation currently holds, where it came from and how (and to whom) it is shared.
- Privacy information: review you current privacy notices and implement any necessary changes as early as possible.
- Individuals’ rights: ensure that your current procedures cover all the rights of individuals (as listed above).
- Subject access requests: review your current procedures and plan how you will handle subject access requests, bearing in mind that, in most cases, you will no longer be able to charge for complying with a request and the timeframe for complying with a request will be a month instead of the current 40 days.
- Lawful basis for processing personal data: identify your lawful basis for processing personal data and ensure that it is clearly set out within your privacy notice.
- Consent: review how you seek, record and manage consent as this is a major area for change within the new regulation.
- Children: will you need to implement an age-verification system or obtain parental or guardian consent for any data processing activity?
- Data breaches: It is crucial that your business has robust procedures in place to enable the swift and thorough detection, reporting and investigation of any personal data breach.
Watch this space for our next instalment or, alternatively, feel free to get in touch with our Corporate and Commercial team if you have any pressing concerns regarding the GDPR’s impending implementation.