The way in which businesses process data is changing significantly. All businesses that use personal data have until 25 May 2018 to comply with the new General Data Protection Regulation (GDPR) legislation. Non-compliance can lead to potential fines of up to €20 million or 4% of annual worldwide turnover, whichever is bigger.
Even though the GDPR is European legislation and following the triggering of Article 50 divorce proceedings with the EU, the Government has confirmed that the GDPR will still be implemented in the UK. The GDPR will be in full effect in the UK from 25 May 2018. Whilst this may sound a long way off, in light of its wide ranging effect the clock is now ticking for businesses to ensure that they are compliant in time.
The GDPR will apply to all businesses that process personal data, i.e. information about individuals, which will affect more businesses than might first be thought. 2,129 senior decision makers within business recently took part in a survey carried out by YouGov for Irwin Mitchell. Only 38% of senior decision makers are aware of the new GDPR rules and over a third of those surveyed believed GDPR was not an issue for the sector they work in. The perception is that it will only apply to consumers, but it has a far wider application than that. It will also apply to the use of personal data in the HR and IT fields as well as in a business context, e.g. if you deal with any suppliers or customers who are sole traders or partnerships.
There is a stick and carrot in relation to GDPR compliance. There are some hefty fines for non-compliance of up to €20 million or 4% of annual worldwide turnover, whichever is greater. Four out of 10 of those surveyed would have to cut staff or go out of business if they suffered the maximum fine. But there are also some positives. You can use your compliance to build trust and confidence with your customers and clients. In addition, if you get the right permissions you can shape your offering to clients and take advantage of Big Data, making your data work for your business. The GDPR should not therefore be seen as all doom and gloom. There are positives to be taken from compliance – and it could possibly even save or make your business money.
Some of the key changes to be introduced:
1. Compulsory notification of data breaches
Data breaches which impact on privacy will have to be notified to the ICO and individuals affected within 72 hours of it happening. Breaches can range from a customer database being hacked to putting a letter in the wrong envelope. You will need to monitor your systems to know whether or not there has been a breach.
2. Consent
The need to ensure that any consents are compliant and refreshed appropriately. Consents must be explicit and freely given. Each purpose needs a separate consent and individuals must be given simple easy-to-access ways to withdraw their consent at any time. Recent draft guidance issued by the ICO indicates that the ICO will take a hard line with consent and it will not be easy to obtain. This is a key area for businesses to look at.
3. Transparency
A key provision of the GDPR is the obligation to be more transparent with individuals as to how their personal data is used – this requires a review of your privacy policies and fair processing notices. An individual should be informed of every activity and purpose for which their personal information is used, as well as being provided with information on anyone who you may be sharing the data with. The information must be provided in an easy to understand and accessible way and must be tailored for its audience.
4. Increased rights given to individuals to access the data held on them
Individuals already have a right to access their data under the subject access procedure. Under the new changes you will not be able to charge a fee for these requests and will have to respond in a shorter timescale.
5. Right to be forgotten
The introduction of new rights including the right to be forgotten, which can require you to erase an individual’s information from your systems, and the right to data portability, where individuals have the right to receive their personal data from you in a commonly used and machine readable format. The right to be forgotten is not as wide ranging as you might think and businesses need to understand its scope and be prepared for any requests they may receive.
6. Obligations on suppliers
Obligations to ensure that tighter contracts are in place with businesses who process on your behalf the personal data you hold on individuals.
One size does not fit all. Compliance for each business will look different in that the data they collect and how they use it will be different. One thing which is common to all, however, is that virtually all businesses need to take action in relation to this reform, and soon. Businesses will be in a far better position if they have proactively tried to implement procedures to comply with the GDPR rather than bury their heads in the sand.
Businesses should be looking at this now, action points include:
- What personal data do you have and are there any rogue (and non-compliant) databases in the business?
- How do you collect personal data and what are the individuals told about how that data will be used. Is the information given sufficiently transparent? This will involve a review of privacy policies and fair processing notices.
- What is the legal basis of using the personal data? Can the business bring its use into one of the lawful purposes laid down by the GDPR?
- Where any data is processed on the basis of consent, the consents will need looking at to make sure that they comply with the GDPR and the new (currently in draft) guidance issued by the ICO. This will make consent tough to obtain, particularly where data is to be shared. As drafted each third party the data is to be shared with will need to be named.
- Retention policies need to be reviewed and updated. The retention periods for data need to be looked at, as does how often consents are refreshed.
- Businesses should review how personal data is kept, whether this is by paper or electronic files, and how secure these systems are.
- Data breach policies and procedures as to how a data breach would be detected and dealt with need to be put in place.
- Processes need to be put in place to deal with the enhanced rights individuals have e.g. the right to be forgotten.
- Reviewing contracts relating to data processing including contracts with cloud providers, mailing houses and analytics businesses.
Don’t know where to start? Let us help you
We understand that achieving GDPR compliance may seem overwhelming. Every business is unique and so a one size fits all approach won’t work. We have specialist lawyers who are already advising businesses on how to become compliant. We will work with you to understand what your business needs are and agree a pathway to compliance.
In view of the potential fines you need a true specialist to help you navigate through to compliance. General advice in this area will not be enough. GDPR compliance should be treated like a marathon, not a sprint, and compliance requires long term planning and preparation.
Don’t leave compliance to the last minute. Get in touch with one of our Data Protection experts today. We’ll be with you every step of the way.
Joanne Bone can be contacted on Tel: 0113 218 6429 or joanne.bone@irwinmitchell.com
GDPR Home Page
GDPR Report YouGov Report
Published: 2 June 2017
Employment Law Update - June 2017
Sign up to receive our monthly employment law update
For general enquiries
0808 291 3524
Or we can call you back at a time of your choice
Phone lines are open 24/7, 365 days a year
