General Data Protection Regulation (GDPR) is a regulation that will impact all businesses within the UK/EU from 25 May 2018 and failure to comply with the regulation will result in penalties much tougher than the current Data Protection Act that it replaces. Organisations that breach the Regulations can expect fines of up to 4% of annual global turnover (NB turnover, not profit) or €20 million – whichever is greater.
The individual has many more rights under GDPR.
The main rights for individuals under the GDPR will be:
- subject access,
- to have inaccuracies corrected,
- to have information erased,
- to prevent direct marketing,
- to prevent automated decision-making and profiling and,
- data portability.
- Children will be protected under GDPR and parental consent needs to be gained for children under that age of 13 in the UK this maybe different in other EU member states.
Consent also has to be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, pre-ticked boxes or inactivity.
GDPR places accountability obligations on data controllers to demonstrate compliance, this means documenting personal data and in some instances conducting impact assessments for more risky processing. Implementing data protection by design and by default into systems, processes and procedures, for example: storing only what is needed for only as long as it is needed, limiting access to those that need to access it and protecting it from loss, e.g. encryption.
Data processing notices will need to be issued or reworked to let individuals know:
- What information is being collected,
- Who is collecting it,
- How it is collected,
- Why it is being collected,
- How it will be used,
- Who it will be shared with.
Common Questions we have been asked.
“Because of Brexit we don’t have to do it, right?”
Wrong, the information commissioner’s office (ICO) has stated that the GDPR will replace the Data Protection Act (DPA) in the UK. Read the Guidance from the ICO on what to expect and when
“What can we do to prepare?”
Review the personal data you hold and ensure that it is required and you have a documented reason and approval to hold it. Review consent forms to ensure that the subject gives “informed consent” not tricks or double negatives in the question. It needs to be clear what data you will hold, what you will do with it, and how you will protect it. These are just some of the headlines. If you would like to know more please contact us for a consultation.
“Sounds complicated – what happens if I don’t do anything?”
If personal data is breached from your business and you have not complied with GDPR then you will be fined, suffer loss of reputation, loss of business etc!