GDPR – The General Data Protection Regulation
Described by the Information Commissioner as “the biggest change to data protection law for a generation”, the General Data Protection Regulation (GDPR) is Europe’s update to data protection law that comes into force across the whole of Europe, including the UK, on 25th May 2018.
If you process personal data, even if it’s only a mailing list or newsletter subscribers list, you have until then to get your data, systems and policies in order and compliant with the new rules. Whilst in a general sense the GDPR is not too far from the current data protection regime in the UK (the Data Protection Act 1998) there’s a number of significant changes coming that will impact the way you use personal data in your business.
Its aim is to bring data protection up to date for our digital, data driven era and to make organisations more accountable for their data processing activities, whilst protecting the privacy and interests of EU citizens.
At 88 pages, 99 Articles and 173 Recitals the GDPR is a complex piece of legislation, but in a nutshell, some of the more significant changes can be summarised as:
- liability and responsibility for organisations seen as data processors
- new rules for when you’re using consent as the lawful basis for processing (e.g. when collecting data for marketing purposes)
- certain requirements for the recording of processing activities (e.g. when consent is the lawful basis for processing)
- new data subject rights: the right to be forgotten and the right to have your data exported in a portable format
- introduction in law of data protection by design and default along with use of Data Protection Impact Assessments
- the requirement for some businesses to appoint a Data Protection Office (DPO) responsible for data protection compliance in a business
- the requirement, in some circumstances, to report data breaches to the Information Commissioner’s Office and those affected by the breach (i.e. the data subjects)
- the potential for increased fines for failure to comply – up to 4% of global turnover or €20m in some cases
And if that’s not enough, add these into the mix:
- the new ePrivacy Regulation (which will replace the UK’s Privacy and Electronic Communications Reg, possibly at the same time the GDPR comes into force)
- Brexit and the implications of the UK becoming a “third country” from a GDPR perspective
- the UK Government’s proposals for a new Data Protection Act
So, if you’re not already thinking about how the GDPR may impact your business, with only a few months to go, now’s probably the time to start thinking about it. At the very least, audit your data, data flows, systems and policies across your business and consider how the GDPR will impact them – this will give you an idea of what you’ll need to do and the scale of what’s needed to be compliant.
Whatever you do, don’t stick your head in the sand and think it doesn’t impact you – if you process personal data (data that identifies an individual) then it does. And, don’t think Brexit will save you – if anything, it complicates things, but for sure the GDPR is here to stay before the UK leaves Europe and after we’ve left.
Act now, whilst you’ve still got time.