The General Data Protection Regulation (GDPR) will come into force in the UK on 25 May 2018. In short, the GDPR is a new law that significantly extends and strengthens the current law and regulatory regime in relation to data privacy and data protection. It concerns the rights of individuals and how organisations handle an individual’s personal data.
The new regime is, in part, intended to force a cultural change in how organisations protect the personal data of private individuals and bring the law up to date with advances in technology and the proliferation of internet based technology and social media. It is, therefore, much stricter than the current regime and the regulator (the Information Commissioner’s Office) will have the power to impose much greater financial penalties.
Businesses and all organisations that hold and process the personal data of individuals must be compliant with the new regulations. They will also be required to actively demonstrate compliance with the new regulations when they come into force.
When GDPR commences, the Information Commissioner’s Office will have the power to impose fines for non-compliance of up to 4% of a company’s annual global turnover for the preceding financial year or the equivalent of 20 million Euros – whichever is greater. It is crucial that all organisations take action now in order to adequately prepare for GDPR. The changes are significant and are likely to take many months to fully implement across an organisation.
In brief, here are some of the key facts to be aware of and look into further:
- GDPR comes into force in the UK on 25th May 2018. The UK leaving the EU will not affect the implementation of GDPR.
- GDPR applies to ‘Data Controllers’ and ‘Data Processors’ alike. Data Controllers will be responsible for any data breaches committed by a Data Processor.
- The way that businesses record their customers’ consent will change significantly. Businesses will need to ensure that they have adequate, GDPR compliant consent (or another legal basis for doing so) if they are to process an individual’s personal data.
- Businesses will need to provide customers with much more detailed Privacy Notices.
- Businesses will not be permitted to process customer data if they do not have a legal basis for doing do. The legal basis will need to be adequately documented.
- A principle of “accountability” will apply. Businesses will need to be able to adequately “demonstrate” compliance with the data protection principles.
- The rules regarding Subject Access Requests are changing significantly. Failure to comply with the new rules on Subject Access may result in a fine of 4% of annual global turnover for the preceding financial year or the equivalent of 20 million Euros – whichever is greater.
- Some organisations will be required to appoint a Data Protection Officer.
- In certain circumstances, companies will be required self-report a data breach to the Information Commissioner’s Office (“ICO”) within 72 hours of the breach.
Stephensons can assist you with all aspects of data protection law and help you to ensure that you are fully prepared for GDPR. For further information, contact us now on 0175 321 6399.