Data Protection law is changing. You may have already heard of the GDPR or General Data Protection Regulation which took effect on the 25th of May 2018. The GDPR is a new piece of legislation from the European Union which replaces the UK Data Protection Act or DPA (1998). Britain’s decision to leave the EU will not affect the implementation of this new law, which will apply to companies across the world that process personal data belonging to citizens from the EU. This means that not only will the GDPR Data Protection law apply to businesses within with European Union, but also to everyone in the rest of the world who provide products or services in the EU.
Who will be affected?
The new law applies to any business handling the information of EU citizens although if you were affected by the DPA, you are likely to be subject to the GDPR. More specifically, the GDPR Data Protection law outlines ‘controllers’ and ‘processors’ of information. Under the regulation, controllers are those who make decisions as to how and why personal information is processed while the processor acts on their behalf. These definitions are similar to those under the Data Protection Act however, controllers and processors will have new obligations under GDPR Data Protection law
Under the GDPR, processors are responsible for maintaining records of personal data and will be liable for any breach in the way the information is handled. Controllers on the other hand, have the added responsibility of ensuring that they comply with the GDPR when dealing with processors.
Consequences of non-compliance
Businesses across the UK and globally are required to comply with the General Data Protection Regulation and the consequences of failing to do so could be severe. The European Data Protection Authority are able to take action against businesses anywhere in the world who fail to comply with the legislation. Non-compliance could result in businesses receiving fines of up to €20 million Euros or the equivalent to 4% of their yearly global turnover. Failure to attain valid consent could also result in any personal data handling activities being shut down by the authorities.
How can I prepare my business?
Firstly, you should check that your current data protection procedures are up to date and comply with the new legislation. If not note down what you are not doing. We can help you with this. Ensure that your business can demonstrate that it has effective procedures in place to prevent any breaches of personal data. It is also be necessary to provide training to employees on the updates to data protection laws and ensure that they understand the procedures in place within your business for handling data.
The ICO has made a twelve point plan businesses to follow in order to comply with the GDPR that you may find useful and which is available on their web site
If you need any help dealing with your Data Protection responsibilities please call Dominic Moss on 01606 872200 See our our in house data compoliance counsel service Here