By Thomas Newlyn, Associate Solicitor
“Accountability is at the centre of all this: of getting it right today, getting it right in May 2018, and getting it right beyond that.”
The European General Data Protection Regulation (GDPR) was published in the Official Journal on 4 May 2016 and came into force on 25 May 2016. It will be implemented on 25 May 2018 and will be applicable to all businesses.
The Information Commissioner, Elizabeth Denham, in a speech earlier this year, emphasised the importance of ‘accountability’ and of ‘getting it right’. With less than seven months until the GDPR is implemented, it is pivotal that your business is prepared.
What is the purpose of the GDPR?
The GDPR has widely been referred to as ‘the biggest shake-up of European data protection law for 20 years’.
The intention is to provide a harmonisation of data protection law across all member states of the European Union (EU). This will allow citizens in the EU to understand how their data is being processed, facilitate citizens’ access to their data and allow them to raise a complaint.
The purpose of the GDPR is to bring greater accountability and transparency to businesses which hold personal data.
Will the GDPR affect your business?
In a nutshell, your business will be affected by the GDPR if it has data flows. This means that the GDPR will affect your business if it holds, uses and maintains individuals’ data. Whilst much data is now digital, the GDPR will also affect data records that are recorded on paper. Practically speaking, the GDPR will affect your business if it:
1. maintains employees’, suppliers’ or any other individuals’ data on its IT systems and paper records (including payroll); and
2. sends updates or marketing correspondence in any format to clients or any prospective clients.
How to ensure your business is GDPR compliant
It is pivotal that key decision makers within your business are aware that the current data protection law is changing to the GDPR. This will include staff being aware of their rights and responsibilities. Practically speaking, this may involve appropriate training, and, on a higher level (if your business has more than 250 employees), you may need to hire or instruct a Data Protection Officer to help advise your business on dealing with the GDPR. Certain member states of the EU are likely to make this step mandatory; particularly in member states where the obligation exists in national law (for instance in Germany).
One of the most important changes under the GDPR is how individuals’ consent for their data to be processed is obtained. Individuals’ consent is required for instance where your business sends marketing emails and texts, updates or reminders to clients. Under the current law, implied consent is sufficient, however, under the GDPR, consent must be freely given, specific, informed and unambiguous. From a practical perspective, businesses must offer individuals a positive opt-in. An example of this would be a form with the option of ticking a box giving consent rather than a pre-ticked box.
Your business will need to ensure it is prepared to respond and comply with the individuals’ rights under the GDPR. Under the GDPR, individuals have important new rights including the right of access, the right to rectification, the right to erasure and the right to data portability. For example, should an individual wish to transfer their personal data and use its right to data portability, your business will need to be in a position (within a month) to provide the individual with their data in a structured, commonly used and machine-readable form.
Under the GDPR, an individual will still be entitled to make a subject access request to view their personal information. This being said, your business will have a month to comply with the request (rather than 40 days under the current law) and the applicant will no longer have to pay a fee (which is £10 under the current law).
There is an emphasis, under the GDPR, on accountability. It is not sufficient to comply with the GDPR, you must be able to show how you have complied. Practically speaking therefore, your business must document the personal data it holds. This means it should be aware of where the data came from, where it is kept and who it is shared with.
It may therefore be necessary for your business to organise an information audit to ensure compliance. Data processing which could put data at risk may need to undergo a Data Protection Impact Assessment to help your business identify the most effective way to comply with data requirements under the GDPR.
What are the consequences if your business fails to comply?
Under the current law, the maximum fine the Information Commissioner’s Office (ICO) can give is £500,000. Last year, the ICO ‘issued more than £1 million in fines for breaches of the Data Protection Act, so it’s not a power (they’re) afraid to use’.
Under the terms of the GDPR, the ICO will be given considerable additional power when it comes to fining businesses which do not comply with their data obligations. The maximum fine will now be 4% of a business’ global annual turnover or €20 million, whichever is the greatest.
And a final word on Brexit
While there is much uncertainty surrounding Brexit, the Government confirmed on 21 June 2017 its intention to bring the GDPR into English law following the UK’s departure from the EU. The intention is for the UK to continue to receive personal data flows and maintain its ability to share data with EU members and internationally once Brexit has occurred.
Should you have any queries regarding compliance and/or the steps your practice may need to take to be ready for the implementation date, please do not hesitate to contact a member of the CooperBurnett Corporate and Commercial team on 01892 515022.
