Early last year the new EU General Data Protection Regulation (GDPR) was approved and companies will have until May 2018 to ensure they are compliant. Regardless of Brexit, if you collect personal data you must comply.
There are some key changes which include:
- Enhanced rights for individuals to access their personal information
- Potential fines for breaches up to 4% of the company’s annual turnover
- Compliance obligations for data processors as well as data controllers
- New consent requirements. Instead of consent to share personal information being implied, consent must be given freely and be unambiguous
- Appointment of a data protection officer
Where a data breach is likely to ‘result in a risk for the rights and freedoms of individuals’ these breaches must be reported within 72 hours after discovery. Fines will increase substantially to 4% annual global turnover or €20 million, whichever is higher.
Data Subjects’ Rights
The GDPR ensures that people have a right to know what and why personal data of theirs is processed and if requested, the data controller must send them an electronic copy of that information free of charge. This helps to shift the power to data subjects rather than the processors and controllers. If your client asks to see what information you hold on them, you must provide that information in a clear, transparent, concise document that can be easily understood.
The right to be forgotten is also a key component of the GDPR and people can request that their personal information be erased, however, the data must no longer be relevant to the original purpose of processing and you must ensure there is no ‘public interest in the availability of the data’ before erasing.
Compliance and Accountability
Compliance with GDPR must be considered when designing and implementing systems. You must ‘implement appropriate technical and organisational measures…in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects’.
Implied consent is no longer sufficient when obtaining and processing personal data. Consent must be unambiguous and given freely and actively, meaning the data subject must do something such as check a box in order to give consent – pre-ticked opt-in boxes will no longer be allowed. You must be able to demonstrate that consent was actively given. Furthermore, withdrawal of consent must be as easy as it is to give it.
You must also be able to demonstrate accountability and how you comply with the GDPR. Staff training, internal audits and impact assessments are examples of how to do this effectively. In addition you must keep detailed records of the types of information processed including how it is stored, who it is shared with and how it is kept secure.
You should take steps now to ensure you will be compliant with the regulations when they come into effect in May 2018. Start with a compliance review to identify the areas in which you need to improve and take steps to resolve them with staff training and by developing procedures and policies that you can implement over the coming months. Remember that data protection affects all corners of your organisation and all departments will need to understand and comply with the regulations. Support from senior management is therefore crucial in order for your organisation to implement changes successfully.
For more information on the GDPR visit EUGDPR.org
If you would like expert help to ensure your business is compliant with the Data Protection Act or to create a Data Protection Policy contact us at email@example.com