We may be leaving the EU, but radical reform of data protection is still coming down the track from Europe.
It’s the GDPR or General Data Protection Regulation and it will arrive a year from now on 25 May 2018. That may sound a long way off, but its wide ranging effects mean the clock is ticking for businesses to ensure they are compliant.
The GDPR will apply to all businesses that process personal data - information about identifiable individuals - and that will affect more businesses than one might think. It is not just about consumer protection, it will apply to the use of personal data in the HR and IT fields as well as in a business context, such as dealing with any suppliers or customers who are sole traders or partnerships.
There is a stick and carrot in relation to GDPR compliance. There are some hefty fines for non-compliance of up to €20 million or 4% of annual worldwide turnover, whichever is greater. But there are also some positives. You can use your compliance to build trust and confidence with your customers and clients. In addition, if you get the right permissions you can take advantage of the Big Data revolution.
Some of the key changes to be introduced:
- Data breaches which impact upon privacy must be notified within 72 hours to the regulator and to those affected. Breaches can range from a customer database being hacked to putting a letter in the wrong envelope.
- Consents to data use must be explicit, freely given and up to date. Each purpose needs a separate consent and individuals must be given simple ways to withdraw their consent at any time. The ICO will take a hard line with consent. In its current form the ICO’s draft guidance requires you to name every third party the data is to be shared with. This is a key area for businesses to look at.
- An individual must understand how their data is used. The information must be easy to understand, accessible, and tailored for its audience. This is a key provision of the GDPR and means your privacy policies and notices should be reviewed.
- More rights for individuals to access their data, beyond the present procedure. No fee and a quicker response time for subject access requests. Also the right to data portability, where individuals can request their data in a user-friendly format.
- A new ‘right to be forgotten’. You could be required to erase an individual’s information from your systems. This however has certain limitations and businesses need to respond appropriately to requests they may receive.
- Tighter contracts with businesses who process data on your behalf.
Every business collects and uses data in different ways so one size won’t fit all in compliance. But virtually all businesses need to move quickly to be prepared for May 2018.
Here are some questions to ask:
- What personal data do you have and are there any rogue (and non-compliant) databases in the business?
- How do you collect personal data, what are individuals told about how it will be used, and is it sufficiently transparent? This will involve a review of privacy policies and fair processing notices.
- What is the legal basis of using the personal data? Can the business bring its use into one of the lawful purposes laid down by the GDPR?
- Where any data is processed on the basis of consent, will the consents comply with the GDPR and the new (currently in draft) guidance issued by the ICO? This will make consent tough to obtain, particularly where data is to be shared. This is a key area for businesses to look at.
Some further action points:
- Retention policies need to be reviewed and updated. The retention periods for data need to be looked at, as does how often consents are refreshed.
- Businesses should review how personal data is kept, whether this is by paper or electronic files, and how secure these systems are.
- Data breach policies, and procedures for how a breach would be detected and dealt with, are needed.
- Processes need to be put in place to deal with the enhanced rights individuals will have to request their data, or for it to be erased.
- Contracts relating to data processing need to be reviewed, including contracts with cloud providers, mailing houses, and analytics businesses.
Businesses will be in a far better position if they have proactively tried to comply with the GDPR, rather than bury their heads in the sand.
Joanne Bone, Partner
Published: 11 May 2017
A moment of clarity
May 2017
For general enquiries
0808 291 3524
Or we can call you back at a time of your choice
Phone lines are open 24/7, 365 days a year
