The EU General Data Protection Regulation (GDPR) will come into force on 25th May 2018, replacing the EU Data Protection Directive of 1995. Whilst the concepts and principles remain broadly similar there are some new requirements and enhancements designed to meet the new challenges of rapid technological change that has seen a dramatic increase in the scale of data collection and sharing. Although Brexit introduces some uncertainty over the regulation of data protection in the longer-term, the GDPR will become applicable prior to the UK ceasing to be a member of the EU. In addition, it is likely that UK law post Brexit would need to be broadly equivalent to GDPR to secure viable data flows to and from the EU in future.
If you currently comply with the existing data protection laws then your general approach to compliance should remain valid but there are significant enhancements that require consideration, as outlined below.
Data subject rights – now include the right to be “forgotten” – personal data can be removed or deleted where there is no compelling reason for continued processing; and the right to data portability – allows individuals to obtain their data in machine readable format for easy transfer to other service providers.
Subject access requests– copies of personal data must now be provided in a reduced timescale and free of charge.
Consent – where processing of data is based upon consent, this must be explicit. Explicit consent is now required for transfer of data outside of the EU. New protection for children now requires a parent or guardians consent before processing their data.
Data Protection Officer – the appointment of a Data Protection Officer is now mandatory if you are a public authority or body; you monitor data subjects on a large scale; or you process sensitive personal data on a large scale.
Data security – some enhanced data security measures may be required such as encryption and pseudonymisation. Breaches must be reported to the Information Commissioners Office.
Privacy notices – an increase in the amount of information you need to include in your privacy notices. These should be clear, concise, and intelligible.
Privacy impact assessment – if you carry out high risk processing you must carry out a privacy impact assessment.
Sanctions– a sanction regime that can issue fines of up to 4% of annual worldwide turnover or €20million, whichever is greater.
The requirements are significant, and even if you currently comply with existing regulation, you may need to update your current policies, develop new ones, and ensure that these are properly documented. This will necessitate time, effort, and costs. So, where to start? There are some tasks you should be undertaking NOW. These include:
Awareness– Ensure your business has communicated the GDPR requirements to the Board and allocate responsibilities and resources to manage the changes.
Information – Conduct an information audit and document all the personal data that you hold, where it comes from and who you share it with.
Procedures and documentation– Review your current procedures and documentation to ensure you can adequately meet the enhanced rights of data subjects, update your privacy notices, and comply with new consent requirements.
Data Protection Officer– Consider if you should appoint a Data Protection Officer.
Data security– Review and update your data security measures, including a breach management policy that adequately documents all breaches.
High risk processing– Do you process high risk data, for example, processing of sensitive personal data on a large scale? If so, consider how you will approach the requirement for a privacy impact assessment.
• GDPR applies to any organisation that holds or uses personal data of EU citizens.
• You must comply with the new regime from 25th May 2018.
• New procedures may be required to meet new transparency and individual rights provisions.
• There could be significant budgetary, IT, personnel, governance, and communications implications.
• Sanctions for non-compliance include fines of up to 4% of annual worldwide turnover or €20million, whichever is
The requirements of the GDPR are extensive and meeting them by the deadline of 25th May 2018 may be onerous. If you haven’t already started to review and update your processes, procedures, and documentation, you should do so now. If you would like any assistance in preparing your compliance plans for GDPR, we have a health check programme against which you can test your progress and identify existing gaps that require further action. If you would like any further information, please contact Peter.Ennis@assureuk.co.uk or call 020 7112 8300.