The clock is ticking on the GDPR countdown and with under a year to go until the legislation comes into force on 25th May 2018. This new regulation will be compulsory and if you are found not to be compliant, your company could be fined up to €20 million or 4% of annual global turnover. The general idea of the GDPR is to provide a single legal framework, which will apply to all members of the EU, to streamline and simplify the jumbled legislation that currently covers data protection. Furthermore, our ever-evolving assortment of digital and online services leaves old legislation seeming prehistoric, so the GDPR will modernise the rules to reflect our digital age.
Previously, it was only ‘data controllers’ to whom compliance obligations fell. However, the GDPR shall apply also to data processors. The controller says how and why data is processed and the processor acts upon the controller’s behalf, and the definitions shall be broadly the same as that set out in the Data Protection Act. So, what does all this mean for you and your business? In basic terms, you are required to keep a clear paper trail which clearly demonstrates where the data was sourced, what consents you have for its use, confirmation permission has been given and accounts of any third parties it has been shared with.
The first data protection duck we suggest you align is in relation to any data already held. You must ask yourself whether you know where the data has come from and that you have record of the obtained requisite permissions to use the data. Another good practice is to consider whether you have made contact with the data subject within the last 12 months, and abide by the motto ‘if you don’t use it, lose it’. If the data held does not comply with the GDPR, then it is best to remove it so you are not at risk of being fined. Another consideration to be borne in mind is that any privacy statements will need to be revised, so that you can ensure it is transparent and there is no doubt in the data subject’s mind what their information is being used for.
Key principles that you and your business should take out of the GDPR include being accountable and transparent, which we briefly touched upon as you need a paper trail confirming the source of your consents and a transparent privacy statement. Secondly, but equally as important, the consent obtained must be freely given, unambiguous and given by means of a statement or clear affirmative action. Under the new legislation, the frequently used methods of silence or pre-ticked boxes are unlikely to be classed as a clear affirmative action.
If there are no legitimate grounds for you keeping the data, the subject has the right to request that their data be deleted, which also involves the obligation to take reasonable steps to inform third parties to whom the data has been shared. Similarly, to requesting removal of data, the subject has the right to request access their data free of charge within 1 month.
Subjects can request their data to be provided in a useable format to be transferred to another data controller. You must report any breaches to the supervisory authority within 72 hours as a general rule and any of which are high risk must also be communicated to the data subject. If your core activities include processing operations that require regular monitoring of individuals on a large scale and those dealing with sensitive data, you will be required to appoint a data protection officer.
You might be wondering why we must be compliant with this regulation in light of Brexit. Firstly, the new rules will come into effect whilst we are still members of the EU and therefore we will have to comply. Secondly, the laws are likely to be transposed into domestic legislation once we do leave as a result of the ‘great repeal bill’. Finally, the GDPR will apply to all UK entities that do business in the EU. As this will be applicable to many UK businesses and will affect those trading within the EU member states, it seems plausible that the UK government will come to the sensible conclusion to reform UK legislation and harmonise with the EU. This will help to drive UK businesses into possessing the requisite standard required to trade in the EU.
In summary, businesses should start looking now at their data protection obligations and their levels of compliance. Just like construction and use rules, driver’s hours and other road transport legislation, this must be complied with. Fines for non-compliance can come from both the courts and the Information Commissioner’s Office.
Backhouse Jones will be running a number of courses for operators who want advice on their GDPR obligations, so please contact a member of the Marketing team on 01254 828300 if you would like further information.