Is your business ready for the new GDPR?
The General Data Protection Regulation becomes law in May 2018. This law impacts every business and organisation that holds personal data on their customers, i.e. most businesses.
Let me ask you- are you, your senior management team and IT staff aware that:
- The GDPR comes into force in May 2018 and how it is different from the current Data Protection laws?
- Complying with the GDPR requires a review of your existing data protection policies and procedures as well as the introduction of new measures?
- Failure to comply with this new law can result in your company being fined up to €20 million?
If not, then you are far from alone. Few companies are prepared for the introduction of this new regulation. As this is an EU regulation, things have been muddied by the Brexit vote which has delayed many UK companies in implementing the needed measures.
However:
- The GDPR will come into force before we leave the EU;
- The Government has underlined the fact that the UK must be seen as a data protection compliant country post-Brexit;
- The GDPR will impact non-EU businesses as it covers the processing of personal data of EU citizens wherever in the world this occurs.
It is important that companies which hold or use the personal data of European citizens take immediate action. This includes:
- Reviewing your client facing documentation
- Re-writing your terms and conditions
- Creating separate legal documents on the capture, use and termination of personal data.
The GDPR is considered to be the most heavily negotiated piece of European legislation that has ever come into effect. This view is supported by the length and complexity of the documentation.
Else Solicitors can help you understand how the regulation applies to your company and how you can achieve compliance. We invite you to contact Adam Gilbert, Head of Corporate and Commercial on 01283 526229 or at adam.gilbert@elselaw.co.uk for more information.
Most data breaches are caused by employees, so a complete compliance solution requires staff training. We have teamed up with i-Secured who will ensure that data protection is embedded into the DNA of your business so that you are fully protected.
This brief article covers:
- Key Takeaway Points
- What is the GDPR?
- What Does the GDPR cover?
- How Does the GDPR Impact My Business and What Steps Should I Take?
- Why Else?
Reading time: 4 minutes
Key Takeaway Points
- The GDPR replaces the Data Protection Directive on 25th May 2018. This impacts all organisations that hold or process the personal data of EU citizens. Each business will be impacted differently and needs to take numerous steps now to ensure compliance is achieved within the required time-frame.
- The GDPR demands a high level of consent for marketing activity. Businesses must be able to provide proof that consent has been given by the individual to hold and process their data for each particular purpose. This includes reviewing the personal data they currently hold and where it came from.
- The GDPR requires certain companies to appoint a data protection officer who has expert knowledge of data protection. This usually applies where you are processing sensitive data or large amounts of personal data.
- The National Data Protection Agency (NDPA) has the power to audit companies and apply fines for failure to comply with the GDPR. Any data breaches must be reported to the NDPA within 72 hours.
- The GDPR is a complex regulation that requires legal support including reviewing existing customer contracts and producing new terms and conditions which adhere to the GDPR. Employee training is highly recommended as most data breaches are caused by employees making a mistake.
What is the GDPR?
The General Data Protection Regulation (GDPR), was published in the Official Journal of the European Union on 4 May 2016. It will replace the Data Protection Directive with effect from 25 May 2018, so businesses only have a year within which to achieve compliance.
The GDPR will affect all businesses that hold or process the personal data of EU citizens. It is expected that this regulation will affect every business with a few rare exceptions where a company does not hold personal data.
Each business will be impacted differently. They must understand how the regulation applies to their business and take the needed actions. However, businesses that handle a significant amount of personal data will be the most affected.
A key element of the GDPR is not only increased compliance requirements, but heavy financial penalties for non-conformity. Fines can be up to €20 million or 4% of annual worldwide turnover for groups of companies, whichever is the greater.
What Does the GDPR cover?
The key features of the GDPR are:
- Consent
Businesses in the UK have, to date, been able to rely on implied consent. Under the GDPR, they must be able to demonstrate that an individual gave their explicit consent to processing their data.
Consent must be given by a clear affirmative action whether this is through a written, electronic or oral statement. Businesses will bear the burden of proof that consent was validly obtained.
Companies must:
- Audit and document the personal data they currently hold, recording where it came from and who they shared it with (if you were given consent)
- Review customer contracts to ensure compliance
- Review the legal basis for the various types of processing that they carry out and document this.
Individuals have the right to withdraw their consent to holding and processing their data for marketing purposes and this must be respected.
- Technical and Organisational Implementation
The GDPR will require businesses to implement technical and organisational measures to ensure that the requirements of the GDPR are met such as:
- Putting the appropriate policies and processes in place;
- Ensuring your IT security is fit for purpose;
- Having robust disaster recovery plans and procedures- these must include knowing where your data is and who has access to it;
- Conduct data protection impact assessments where appropriate;
- Develop and implement a data breach response plan including complying with the data breach reporting obligations in the GDPR.
- Inspections
The National Data Protection Agency (NDPA) will have power to carry out audits, require information to be provided and obtain access to your premises. The NDPA will have the power to apply financial penalties for non-compliance on a two-tier basis:
- Fines of up to €10 million for violations relating to internal record keeping, data security, data breach notification or the lack of data protection officers.
- Fines of up to €20 million for violations relating to breaches relating to the data protection principles, conditions for consent, data subject’s rights or international data transfers.
Other important changes include:
- Expanded territorial scope- Non-EU data controllers and data processors will be subject to the GDPR if they offer goods or services to data subjects in the EU or monitor data subjects’ behaviour.
- Record requirements- businesses are required to maintain detailed documentation recording their processing activities. These obligations do not apply to organisations employing less than 250 people unless the processing is likely to result in high risk to the rights and freedoms of individuals, the processing is not occasional or the processing includes sensitive personal data.
- Know how you are compliant with the regulation- you must understand the GDPR and the measures that you have taken to conform with it.
- Changes in pseudonymisation regulations- this refers to changes in the regulations covering the processing of personal data in such a way that it can no longer be attributed to a specific individual, without additional information.
- Strict data breach notification rules- the GDPR requires you to notify, the NDPA within 72 hours of a data breach. If the breach is unlikely to result in high risk to the individuals, the GDPR requires businesses to inform data subjects “without undue delay”.
- The right to erasure– Individuals will have the right to request that you delete personal data about them in certain circumstances.
- Individual access requests– If an individual requests information about the data held on them, then an organisation must reply within one month from the date of receipt of the request and provide more information than is required under the Data Protection Directive.
How Does the GDPR Impact My Business and What Steps Should I Take?
The GDPR is a complex piece of EU Regulation. It impacts every business in a different way. It requires:
- The production of compliant legal documentation
- Changes in policies and procedures
- Maintenance of records including those giving consent and those describing processing activities
- Employee training- this is not a prescribed part of compliance but it is highly recommended as most data breaches are caused by employees taking the wrong action.
Else Solicitors and i-Secured can help you to achieve full compliance with the GDPR.
Why Else?
Else is a modern, dynamic and forward thinking firm of solicitors who have the expertise you expect from a large, traditional law firm.
You will discover that we are different to other legal firms. We will help you achieve compliance and then look at other ways that we can add value to your company. This could include introducing you to new customers or suppliers in our extensive network or offering you some new insight into your market or your business.
Else Solicitors has an enviable reputation for always going the extra mile and offering a personal, jargon free service. Your business is not only in trusted legal hands but will also benefit from our extensive business knowledge, experience and contacts.
If you are concerned about GDPR compliance, then we urge you to contact Adam Gilbert, Head of Corporate and Commercial on 01283 526229 or at adam.gilbert@elselaw.co.uk at your earliest convenience.
Experience the Else difference today!