Next year sees the introduction of stringent new rules governing the safeguarding of personal data, with a new emphasis on transparency and accountability.
The new General Data Protection Regulation
On 25 May 2018, the General Data Protection Regulation (GDPR) will come into effect, requiring all organisations that deal with individuals living in an EU member state to fully protect the personal information belonging to those individuals, and to have documented proof of such protection. The UK’s decision to leave the EU will not affect the introduction of the legislation in the UK.
The new GDPR requires a consistent and transparent approach to data processing, and the financial penalties for failing to comply are severe – with fines of up to €20m or up to 4% of total annual worldwide turnover.
New requirements for businesses
While the principles of the new GDPR are broadly similar to the existing Data Protection Act (DPA), there are some key changes placing additional obligations on businesses.
A fundamental new requirement of the GDPR relates to accountability. Businesses must be able to identify their lawful basis for processing personal data, and document this. The GDPR also prioritises the issue of consent, requiring that an indication of consent must be specific, unambiguous and freely given.
Another principle central to the GDPR is the concept of ‘data protection by design and default’, by which firms build in the necessary privacy and security protections from the outset rather than as an afterthought. In some circumstances, businesses will be required to undertake a Data Protection Impact Assessment.
The GDPR applies to both ‘controllers’ and ‘processors’ of personal data. Processors will be specifically required to maintain records of personal data and processing activities and will have increased legal liability for any breaches (including reporting certain breaches), under the new laws.
Meanwhile, controllers will be under additional obligations to ensure that their contracts with processors are in compliance with the GDPR.
New definitions of personal data
Reflecting the significant growth in the digital economy and changes to the way in which information is collected, the GDPR extends the DPA definition of ‘personal data’ to cover a larger range of personal identifiers, including online mechanisms such as IP addresses.
‘Sensitive’ personal data, defined in the GDPR as ‘special categories of personal data’, has also been expanded to include such categories as genetic data and biometric data where this is used to identify an individual person.
Preparing for the regulations
Businesses should take steps now to make sure they are ready for the new legislation. Some of the main areas for action might include:
- Making sure members of staff are aware of the new regulations, and providing ongoing training
- Identifying the lawful basis for your data processing activity
- Reviewing and classifying the personal data your business holds, its origins and who you share it with
- Creating an audit trail
- Reviewing your procedures relating to consent, requesting and documenting fresh consents from customers where necessary to ensure that your business is seeking, collecting and managing consent in line with the GDPR
- Updating procedures to ensure they cover the enhanced rights for individuals, including the right to have data erased and the right to data portability, as well as new protection for children’s data and the reduced 30 day deadline for subject access requests
- Reviewing your privacy notices
- Adopting a principle of ‘data protection by design’ for all future projects
- Including procedures for identifying and investigating data breaches
- Assigning responsibility for data protection to a key member of staff; appointing a Data Protection Officer (DPO) will be a legal requirement for some organisations
- Making sure that your data and processes are regularly reviewed to ensure that they remain compliant.
Further information and guidance can be found on the Information Commissioner’s Office website: www.ico.org.uk.
With new regulations approaching, businesses are advised to review their data privacy and security practices, identifying areas of risk and introducing robust processes and controls, ahead of time.
This article is for general guidance only, and you are always advised to consult an expert before taking any action.