Data Protection laws are changing. You may have already heard of the GDPR or General Data Protection Regulation which will take effect from the 25th of May 2018. The GDPR is a new piece of legislation from the European Union which will replace the current UK Data Protection Act or DPA (1998). Britain’s decision to leave the EU will not affect the implementation of this new law, which will apply to companies across the world that process personal data belonging to citizens from the EU. This means that not only will the GDPR apply to businesses within with European Union, but also to everyone in the rest of the world who provide products or services in the EU.
Who will be affected?
The new law applies to any business handling the information of EU citizens although if you are currently affected by the DPA, you are likely to be subject to the GDPR. More specifically, the GDPR outlines ‘controllers’ and ‘processors’ of information. Under the regulation, controllers are those who make decisions as to how and why personal information is processed while the processor acts on their behalf. These definitions are similar to those under the Data Protection Act however, controllers and processors will have new obligations under GDPR
Under the GDPR, processors will be responsible for maintaining records of personal data and will be liable for any breach in the way the information is handled. Controllers on the other hand, will have the added responsibility of ensuring that they comply with the GDPR when dealing with processors.
What data will it apply to?
The General Data Protection Regulation will apply to personal data however, its definition of this type of data goes further than that outlined in the Data Protection Act. The definition of personal data from the GDPR includes any information that can be used to identify an individual such as IP addresses and economic, genetic or cultural information.
The GDPR also specifies the formats that the regulation applies to. The new law will cover both automated data stored on computer systems and data stored manually in physical filing systems.
While the new law will not apply to data that is processed for national security reasons or personal activities, the majority of personal information used by businesses will be subject to the GDPR. It will therefore be difficult for companies to avoid complying with the new legislation from next year.
Changes to consent when collecting personal data
The General Data Protection Regulation will also change the way that businesses collect data. The legislation will require all companies to be able to prove that they have consent when collecting personal data. In order to obtain valid permission, businesses will have to use language that is easy to understand when requesting consent from an individual to collect personal data. They will also be required to clearly state how the data will be used.
Changes in the workplace
Many businesses may find that the GDPR results in little change in the way that they store data as they are already complying with the current legislation. The way that contact details, databases or HR records are stored is likely to remain unaffected.
Other businesses including public authorities however, will be required to implement a number of changes. These businesses will need to appoint a Data Protection Officer or DPO when processing personal data on a large scale. Instead of focusing on the size of the organisation in terms of employee numbers, the General Data Protection Regulation will focus on the scale of information and how it will be used.
The General Data Protection Regulation also requires all systems, software and processes to comply with the new legislation. They will have to include privacy by design, an example of which would be ensuring that data can be erased if requested by the individual.
Another change that the GDPR may bring to the workplace is the introduction of Privacy Impact Assessments or PIAs. These assessments will be carried out to minimise breaches of data in situations where there is a high risk of a breach. The controllers within a business will be required to carry out PIAs before starting projects involving personal data and they will also need to work closely with Data Protection Officers to ensure that they are complying with the GDPR throughout the project.
The long-term use of data
Under the General Data Protection Regulation, businesses will be prohibited from storing data for longer than is necessary and will be required to delete information if requested to do so by the individual. Businesses will not be allowed to change the purpose for which they originally collected and used the data. In order to use the data for a different purpose, businesses will be required to attain fresh consent from all of the individuals whose data the change affects.
Consequences of non-compliance
Businesses across the UK and globally will be required to comply with the General Data Protection Regulation and the consequences of failing to do so could be severe. The European Data Protection Authority will be able to take action against businesses anywhere in the world who fail to comply with the legislation. Non-compliance could result in businesses receiving fines of up to €20 million Euros or the equivalent to 4% of their yearly global turnover. Failure to attain valid consent could also result in any personal data handling activities being shut down by the authorities.
How can I prepare my business?
The introduction of the General Data Protection Regulation may seem daunting at first glance but there are some simple steps that you can take to prepare for the changes ahead. Firstly, you should check that your current data protection procedures are up to date and comply with the current legislation. Ensure that your business can demonstrate that it has effective procedures in place to prevent any breaches of personal data. It may also be necessary to provide training to employees on the updates to data protection laws and ensure that they understand the procedures in place within your business or organisation for handling data.
The ICO has made a twelve point plan businesses to follow in order to comply with the GDPR that you may find useful and which is available on their website.
If you need business law advice, contact our team on 0800 434 6544