The European Union’s new General Data Protection Regulation (GDPR) will come into force on 25th May 2018 and all businesses in the United Kingdom, who handle personal data, will need to comply with the new legal framework.
The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of GDPR.
With time ticking to bring your business into a state of compliance with this new regulation, it is crucial to start preparing as soon as possible and as such you may wish to speak to a trained GDPR solicitor.
Key points to consider
Valid consent to using personal data
The requirements for consent will be tightened with the introduction of GDPR. Clear positive consent will now be required. Silence or pre-ticked boxes on your website will not constitute valid consent from a customer. You will also have to give the customer the right to withdraw their consent at any time. In practice, this will mean that you should allow your customer to withdraw consent using the same method that was used to obtain it in the first instance.
Special categories of personal data
Most businesses are already familiar with the concept of ‘sensitive data’ from existing data protection legislation. ‘Sensitive data’ includes information concerning racial or ethnic origin and health generally. There are other categories of information too, but newly added to the list will be genetic and biometric data.
New obligations will be imposed on you to show that you have considered and integrated compliance measures into your day to day practices. This may mean adopting appropriate data protection policies, staff training and appointing a data protection officer. Importantly, for the first time you have to prove you comply with your obligations under GDPR by keeping appropriate records.
In a significant departure from existing legislation, GDPR will require you to have formal contracts with any service providers who process personal data on your behalf – and ensure they comply with their obligations under GDPR. Equally, if you are processing data on behalf of a third party, GDPR will place specific legal obligations on you for the first time and make you liable for breaches that you are responsible for.
Right to erasure
More commonly known as the ‘right to be forgotten’, whilst not absolute, it will give data subjects the right to have their personal data erased in specific circumstances – such as where the personal data is no longer necessary for the purpose for which it was originally collected or processed.
Data breach notification
If you accidentally or unlawfully destroy, lose, alter, disclose, or give access to, personal data a requirement to notify the Information Commissioner’s Office will be triggered depending on the nature of the breach. This is a new requirement. You may be tempted not to notify to avoid any bad publicity, however failure to notify risks an administration fine of up to €10,000,000 or two per cent of the total worldwide annual turnover in the preceding year – whichever is higher.
For the most serious breaches the penalty is doubled to €20,000,000 or four per cent of total worldwide revenues.
About our GDPR solicitors
Our expert lawyers work with businesses to put the best data protection systems in place to comply with the GDPR regulations. Our team drafts detailed compliance policies setting out a business’ attitude to GDPR and the steps that need to be taken to properly collect, store and safeguard relevant data.