BE READY FOR GENERAL DATA PROTECTION REGULATION
17th August 2017
GDPR comes into force on 25 May, 2018 and one of its primary aims is to give more control back to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
What is Data Protection?
Data protection laws protect individuals’ fundamental right to privacy. These laws are designed to empower people to control their information and to allow them to protect themselves from abuse. Comprehensive data protection laws exist in the UK which means that organisations, public or private, that collect and use individuals’ personal information have the obligation to handle this data according to a number of basic principles.
The data protection legislation currently in force in the UK is the Data Protection Act 1998 (“DPA”). However, this is set to be updated with the General Data Protection Regulation (“GDPR”) coming into force on 25 May 2018.
What changes does the GDPR make to data protection?
Whilst the GDPR does not alter the main concepts of data protection there are still significant changes and the scope of the protection is increased.
If your organisation is located outside the EU, the new laws will still apply directly to your organisation in certain scenarios reflecting that in today's world, business has become truly borderless.
The GDPR is designed to update and strengthen the protection of personal data under the outdated DPA. It is expected to address globalisation and developments in how we use, share and store data. For instance, it will tackle data protection in relation to cloud computing and social networks. It will also give names to the rights of individuals e.g. the ‘right to be forgotten’ and it is envisaged that individuals will become more proactive in enforcing their rights because of this.
GDPR Key Changes Summary
- Harmonisation across and beyond the EU (a one-stop-shop).
- Data Protection Officers – you may need a mandatory DPO.
- Penalties significantly increased.
- Consent as a basis for legal processing now needs to be freely given, specific, informed and an unambiguous indication of the individual’s wishes.
- Mandatory Breach Reporting.
- Privacy by Design & Default (i.e. not just an afterthought).
- Data Protection Impact Assessments for all high risk projects.
- Increased Data Subject Rights for individuals including ‘the right to be forgotten’.
What is ‘Personal Data’?
Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier for example an IP address can be regarded as personal data. The broader definition provides for a wide range of personal identifiers to be considered as personal data, reflecting changes in technology in the past 20 years and the modern ways in which organisations collect information about people.
For most organisations holding personal data will include keeping: employee information, customer lists, mailing lists and contact details. Despite the definition change it should make little practical difference and it is safe to assume that if you hold information that falls within the scope of the DPA then it will also fall within the scope of the GDPR.
Does it Apply to my Business?
The GDPR applies to any ‘Data Controller’ trading in any EU Member State that collects, manages, stores or uses ‘personal data’ (as defined in the GDPR). Such organisations are legally obliged to properly protect personal data. Be aware that the GDPR is not optional – it is mandatory!
One significant change introduced by the GDPR is that it now places direct statutory obligations on ‘Data Processors’. ‘Data Processors’ process the data on behalf of the data controller. Data Processors can be either individuals or "legal persons" such as companies e.g. payroll companies, accountants and market research companies. These obligations mean that data processors may be subject to direct enforcement by the ICO and therefore serious fines for non-compliance.
If you are currently subject to the DPA, it is highly likely that you will also be subject to the GDPR. It is always worth checking if you are a Data Controller, a Data Processor, both or neither.
The GDPR and Brexit
How Brexit will impact the GDRP is still not entirely certain at the point of writing. One thing we do know with reasonable certainty is that it is highly unlikely that the UK will exit the EU before the GDPR comes into force on 25 May 2018 meaning that UK organisations will need to be prepared for the GDPR regardless of Brexit.
The UK government announced a new UK Data Protection Bill in the Queen’s Speech (the “Bill”). The Bill is a part of the government’s plans to bring UK data protection law into line with the GDPR and it is envisaged that this will mirror the GDPR in an attempt to achieve the government’s goal of ensuring an unhindered exchange of data between the UK and the EU after Brexit.
The UK government has stated that “Under the plans individuals will have more control over their data by having the right to be forgotten and ask for their personal data to be erased. This will also mean that people can ask social media channels to delete information they posted in their childhood. The reliance on default opt-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past.”
What Do I Need To Do?
The GDPR should be a priority for organisations across Europe throughout 2017, but many organisations (especially private SME’s) will find that the time remaining is not long enough to do all that needs to be done.
The Information Commissioner’s Office (ICO) has set up a new microsite athttp://dpreform.org.uk/ where you can view their ‘12 Step Guide on Actions To Take Now’ and get the latest guidance on the GDPR.
We would recommend that a good starting point for the majority of organisations would be to carry out a Personal Data Audit. This should be proportionate and balanced to your organisation’s services which should identify where personal data comes in, is used and exits your organisation. Although auditing and mapping your data is a time-consuming exercise once it is complete your organisation is in a good position to progress with GDPR compliance.
Understanding how, when and why you are collecting personal information is important. Failing to collect the right consent could result in a breach of the DPA now as much as in the future under the GDPR. As mentioned data audits can be large and time-consuming exercises but given the level of fines that the GDPR is set to impose (Up to €20M or 4% of global turnover) they are worthwhile.
If you need any guidance or assistance with GDPR preparation or training, carrying out a data audit or assistance with compliance please do not hesitate to contact us.
How Can WJM Help?
WJM can help your business meet its obligations and assist with the following:
• GDPR Compliance and Guidance
• GDPR transition services
• Policy drafting and updating
• Data Audits
• Data Mapping
• Staff Awareness Training
• Data Protection Officer (DPO) services
• Subject Access Request guidance and documentation
• Incident Management Assistance
For more information, or to arrange an appointment to discuss your GDPR needs, please email: firstname.lastname@example.org or call 0141 248 3434
The information contained in this newsletter is for general guidance only and represents our understanding of relevant law and practice as at August 2017. Wright, Johnston & Mackenzie LLP cannot be held responsible for any action taken or not taken in reliance upon the contents. Specific advice should be taken on any individual matter. Transmissions to or from our email system and calls to or from our offices may be monitored and/or recorded for regulatory purposes. Authorised and regulated by the Financial Conduct Authority. Registered office: 302 St Vincent Street, Glasgow, G2 5RZ. A limited liability partnership registered in Scotland, number SO 300336.