General Data Protection Regulations (GDPR)
23rd April 2017
The General Data Protection Regulations (GDPR) comes into force on 25 May 2018 and replaces the existing Data Protection Act 1998. While the new legislation is a result of European law the Government has confirmed that it will still apply to the UK despite Brexit.
Some of the major changes include:
- Breaches- Currently UK organisations are encouraged by the Information Commissioner’s Office (ICO) to report data breaches to them. Under the new legislation, notifiable breaches must be reported to the ICO within 72 hours. For certain breaches the individuals involved and the public may also need to be notified.
- Policies and Procedures- Many of the new rules will require changes to your policies and procedures. In addition, data protection rules will need to be integrated throughout your policies and not just your data protection policy (if you don’t have this you certainly need to rectify this as soon as possible). For example your marketing policy will need to incorporate the rules for disclosure and permission and your IT policies will also need to incorporate aspects of GDPR.
- Disclosure- You will be required to disclose far more disclosure on forms regarding how data will be used, how long it will be retained and if it will be held outside the EEA then how it will be secured.
- Permission- The rules on obtaining consent for using data have also been tightened up and clear affirmative action will be required from the individual. In other words, pre-ticked boxes, will no longer be sufficient for showing permission has been granted for processing. The rules have also been tightened with regard to obtaining consent for processing data from children.
- Access- Individuals rights to access information held about them and how that data has been used will be strengthened and there will be strict timescales for replying to information requests.
- Accountability- You will be required to be able to demonstrate to the ICO that you comply with the data processing rules.
- Enhanced Rights- Under the act individuals have far greater rights including the right to be forgotten and data portability rights.
- Penalties- The penalties for failure are far more severe under GDPR. Failures can lead to the ICO issuing a fine up to the greater of €20 million or 4% of global turnover.
The rules are therefore going to cause a major administrative burden for many organisations. Organisations will need to start looking, as soon as possible, at their procedures for collecting, processing and storing data so they don’t suffer the severe penalties under the new regime.
The ICO has started issuing draft guidance and consultations on how the new legislation will apply to the UK. This guidance will prove key in how the new rules will apply and what UK organisations will need to do to comply. We will provide further updates and advice once the new guidance is available. If you require any further advice or support in the meantime then please contact us.
Steven Cunningham, Technical Partner