The General Data Protection Regulation (the “GDPR”) is coming into force in just over a year and the pressure is on to ensure you are ready. The EU regulation is set to make significant changes to Data Protection law that will, ultimately, impact upon your contracts, policies and procedures surrounding your handing of personal data.
Below is a brief summary highlighting some of the key changes the GDPR will bring about. It is intended to assist in ensuring that you and your business become fully compliant by the 2018 deadline for doing so
The key changes can broadly be classified as procedural changes, changes to an individual’s rights and changes with regards to your accountability.
Data Protection Officers – If the core activities of your business require regular monitoring of personal data on a large scale, as part of your accountability program, you will need to appoint a dedicated Data Protection Officer to deal with all data protection enquiries and to manage any related breaches.
Direct Obligations – The GDPR will impose additional obligations on you such as maintaining written records of all data handling activities carried out on behalf of third parties and notifying third parties of any breaches without undue delay. You will also be required to consider privacy risks in other aspects of your business, such as the designing and delivery of new products and services.
Changes with regards to Individuals’ rights
Consent and Fair Notice- The GDPR require that you obtain specific consent from data subjects. Your data subjects will need to be provided with full details of how you intend to handle their personal data and how long you will hold that data for. They will also need to be made fully aware of their right to object and withdraw such consent.
Marketing – Data subjects have the right to be forgotten and the right to object to their data being used for direct marketing purposes.
Transfer of data – If you are requested to transfer to another data controller or organisation any data you hold relating to an individual, you must do so in a structured and legible format.
Changes with regards to your Accountability
Accountability – A higher level of accountability is placed on data controllers to show compliance with the GDPR. Data controllers must maintain additional documentation relating to processing operations and conduct data protection impact assessments for high risk projects and services.
Higher fines – You may be subject to fines of up to 4% of annual worldwide turnover or €20 million, whichever the higher, for any serious breach of your obligations under the GDPR. Examples of such a breach include the failure to comply with the basic principles for processing or the regulations on international transfers.
There are also some additional changes which will be brought about by the GDPR, for example an expanded territorial reach. If your business is based outside of the EU, the current DPA rules only require you to comply if you have an established branch based in the EU itself. Under the new GDPR however, you will be subject to the GDPR wherever you are based, if you are targeting EU citizens. This means many more businesses will be subject to the rules.
The GDPR also include a broader definition of personal data which will now include cookie IDs and IP addresses if these are used in conjunction with other information you hold to identify an individual. The definition of sensitive data will also be expanded to include genetic and biometric data.
How can you prepare?
In light of the above changes, we recommend that you start preparing as soon as possible. Below are some steps you can take to ensure your business is GDPR-ready:
- Review the personal data you collect and process and consider your IT security, data protection policies, consent procedures and notice procedures;
- Put in place or review your existing data protection agreements;
- Review the way in which your data subjects are able to manage their privacy preferences;
- Develop a data breach response plan;
- Appoint and train a data breach response team to assist your business in managing any data breaches; and
- Ensure you understand the key duties and responsibilities of a Data Protection Officer and consider who you will appoint to the role!
If you would like more information or advice on the GDPR and how it might affect your business, or if you need assistance complying with the regulation, please contact the commercial team at Harrison Clark Rickerbys and one of our specialist data protection lawyers will be happy to help!