GENERAL DATA PROTECTION REGULATION (GDPR) WHAT IS IT AND DOES IT APPLY TO MY ORGANISATION?
3rd March 2017
What is Data Protection?
Data protection laws protect individual’s fundamental right to privacy. These laws are designed to empower consumers to control their information and to allow them to protect themselves from abuse. Comprehensive data protection laws exist in the UK which means that organisations, public or private, that collect and use individual’s personal information have the obligation to handle this data according to a number of basic principles.
The data protection legislation currently in force in the UK is the Data Protection Act 1998 (“DPA”). However, this is set to change with the General Data Protection Regulations (“GDPR”) coming into force on 25 May 2018. The GDPR is a “regulation” rather than a “directive” which means that from 25 May 2018 it will directly apply to all EU member states without a need for individual countries to draft any laws (the possible impact of Brexit on the GDPR is discussed below).
What changes does the GDPR make to data protection?
Whilst the GDPR does not alter the main concepts of data protection there are still significant changes and the scope of the protection is increased.
If your organisation is located outside the EU, the new laws will still apply directly to your organisation in certain scenarios reflecting that in today's world, business has become truly borderless.
The GDPR is designed to update and strengthen the protection of personal data under the outdated DPA. It is expected to address globalisation and developments in how we use, share and store data. For instance, it will tackle data protection in relation to cloud computing and social networks. It will also give names to the rights of individuals e.g. the ‘right to be forgotten’ and it is envisaged that individuals will become more proactive in enforcing their rights because of this.
Does it Apply to my Business?
The GDPR applies to any ‘data controller’ trading in any EU Member State that collects, manages, stores or uses ‘personal data’ (as defined in the GDPR). Such organisations are legally obliged to properly protect personal data. Be aware that the GDPR is not optional – it is mandatory!
If you are currently subject to the DPA, it is highly likely that you will also be subject to the GDPR.
What is ‘Personal Data’?
Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier for example an IP address can be regarded as personal data. The broader definition provides for a wide range of personal identifiers to be considered as personal data, reflecting changes in technology in the past 20 years and the modern ways in which organisations collect information about people.
For most organisations holding personal data will include keeping: employee information, customer lists, mailing lists and contact details. Despite the definition change it should make little practical difference and it is safe to assume that if you hold information that falls within the scope of the DPA then it will also fall within the scope of the GDPR.
The GDPR and Brexit
How Brexit will impact the GDRP is still not entirely certain at the point of writing. One thing we do know with reasonable certainty is that it is highly unlikely that the UK will exit the EU before the GDPR comes into force on 25 May 2018 meaning that UK organisations will need to be prepared for the GDPR regardless of Brexit.
What Do I Need To Do?
The GDPR should be a priority for organisations across Europe throughout 2017, but many organisations (especially private SME’s) will find that even a year is not long enough to do all that needs to be done.
The Information Commissioner’s Office (ICO) has set up a new microsite athttp://dpreform.org.uk/ where you can view their ‘12 Step Guide on Actions To Take Now’ and get the latest guidance on the GDPR.
We would recommend that a good starting point for the majority of organisations would be to carry out a Personal Data Audit. This should be proportionate and balanced to your organisation’s services which should identify where personal data comes in, is used and exits your organisation. Although auditing and mapping your data is a time-consuming exercise once it is complete your organisation is in a good position to progress with GDPR compliance.
Understanding how, when and why you are collecting personal information is important. Failing to collect the right consent could result in a breach of the DPA now as much as in the future under the GDPR. As mentioned data audits can be large and time-consuming exercises but given the level of fines that the GDPR is set to impose (Up to €20M or 4% of global turnover) they are worthwhile.
If you need any guidance or assistance with GDPR preparation or training, carrying out a data audit or assistance with compliance please do not hesitate to contact us.
The information contained in this newsletter is for general guidance only and represents our understanding of relevant law and practice as at March 2017. Wright, Johnston & Mackenzie LLP cannot be held responsible for any action taken or not taken in reliance upon the contents. Specific advice should be taken on any individual matter. Transmissions to or from our email system and calls to or from our offices may be monitored and/or recorded for regulatory purposes. Authorised and regulated by the Financial Conduct Authority. Registered office: 302 St Vincent Street, Glasgow, G2 5RZ. A limited liability partnership registered in Scotland, number SO 300336.