Data protection and the GDPR – what does this mean for my business?

The General Data Protection Regulation (GDPR) comes into force in May 2018, so what generally should businesses be aware of?

Overview:

  • Larger penalties for breach
    • A new tiered approach means penalties for the most severe breaches will increase from the current level of £500,000 to up to 4% of annual worldwide turnover or €20 million (depending on the nature of the breach).
  • Brexit does not provide an immediate escape route
    • The GDPR takes effect before Brexit and its effects have a wider territorial reach than the current law.
    • Organisations do not need to be in Europe for the GDPR to apply. For example if a website can be accessed by persons in the EU – the GDPR can apply if EU individuals are targeted or monitored, e.g. cookies are used to track persons or IP addresses are collected.
  • Data processors now face liability for non-compliance
    • It is not only data controllers who need to comply with the GDPR. Obligations will be placed on data processors to comply with the GDPR (this includes requirements for consent from data controllers to appoint new sub-processors, the need for activities to be covered by a binding contract, to keep records…and so on).
  • New and increased rights for data subjects
    • New rights include a right to be forgotten, a right to restrict profiling and a right to portability. The current rights available to data subjects are mainly retained and increased. For example the timescales organisations have to deal with subject access requests will decrease to a month.
    • The definitions of personal data and sensitive personal data have been widened. Online identifiers such as IP addresses or cookies are mentioned within the GDPR.
    • Information or fair processing notices must be provided in a concise, intelligible, transparent and easily accessible way. Additional information may be required to be provided by the data controller if this is necessary for the processing to be fair and transparent.
    • Using consent as the lawful basis to process personal data is made more difficult under the GDPR. If consent is used as the basis for processing this should be checked to ensure it meets GDPR requirements. Data subjects can withdraw consent at any point.
  • Be able to demonstrate compliance with the GDPR
    • To comply with the GDPR, organisations will need to implement technical and organisational measures to ensure data is processed appropriately and that the data is protected by an appropriate level of security. Organisations will be required to demonstrate that measures have been taken to reduce the risk of breaching the GDPR.
    • The “pseudonymisation” of personal data is encouraged by the GDPR, this means that the data is processed in such a way that it can no longer be used to point to a data subject without the use of additional information. This additional information is to be kept separately and securely (to prevent the pseudonymised data being attributed back to the data subject).
    • Privacy impact assessments will be required for data processing or technology which presents a high risk to individuals (a high risk is gauged in relation to the risk of infringing an individual’s rights and freedoms, such as large scale processing of sensitive data or profiling activities).
    • Data Protection Officers may be required depending on the format of the organisation and its core activities. For example the majority of public authorities will be required to appoint a DPO, together with those organisations which carry out regular and systematic monitoring of data subjects or large scale processing of sensitive data or criminal records.
    • Organisations will be required to keep records of their processing activities (e.g. types of data processed and for what purpose).
  • Mandatory reporting of personal data breaches
    • Data controllers will be required to report breaches to the relevant supervisory authority and/or the data subject unless certain exemptions are satisfied.
    • Data processors will be required to notify data controllers of all and any breaches “without undue delay on becoming aware of it”. More guidance is expected on this point, given the lack of exemptions in this area.

The above notes provide only an outline about certain of the consequences faced by businesses under the forthcoming GDPR. Unfortunately this is not something businesses can ignore until May 2017, and it makes sense to start to address how to implement changes required  if they have not begun already. For example:

  • reviewing staff polices
  • reviewing how and what data is collected at present, checking whether or not consent from the data subject is obtained
  • reviewing the use of sub-contractors and suppliers and any relevant contracts already in place
  • planning on how to deal with data breaches, checking what technical and organisational measures are in place
  • conducting risk assessments.

More guidance is expected from the Information Commissioner (ICO) in the coming weeks and months which should be helpful. In the meantime – see here for some preparatory advice from the ICO https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf