The GDPR, or General Data Protection Regulations to give it the full title, is data protection legislation that comes into force on 25th May 2018. This new legislation means that you will have to make important changes to the way that you deal with data in your business. So what has changed?
Businesses can no longer rely on ‘implied consent’; in basic terms this means that you are unable to use tick boxes that have already been ticked when obtaining an individual’s consent to use their personal data. Therefore from May 2018, you must be able to demonstrate clear, specific, unambiguous and informed consent from the individual (data subject) who provides a clear affirmative statement or action which is easily able to be withdrawn. Continuing to require an individual to untick a box, will almost certainly breach the GDPR and obtaining effective consent will be much harder. You should start to review your forms and consent processes to make sure that any necessary changes are planned and budgeted.
The GDPR requires explicit and continuous consent from individuals. This means that you will be required to keep detailed records of continual reviews of your data processes (required by the GDPR) and you will also be required to delete data which is not being kept for a specific purpose.
If you ever deal with children between the ages of 13 & 16 you will also be required to obtain parents’ consent (in the same way as described above) to use the personal data lawfully.
Many businesses will be affected by the GDPR and in turn could be in breach without realising it! Whether your business is based in Wiltshire, New York or Australia, if your business either: (i) offers goods and/or services to data subjects in the EU (irrespective of whether payment is received), and/or (ii) monitors data subject’s behaviour which takes place within the EU, your business will be subject to the GDPR.
Data Protection by Design
GDPR requires data protection to be embedded in the entire life-cycle of a project or process. From the early design stage, continuing through to its deployment, use and final disposal; this principle is expected to be used when your business is creating services or products, or if your business is data heavy, surrounding any data processing activities.
GDPR requires businesses to perform data protection impact assessments before carrying out any processing that uses technology, this will include anything that is high risk such as applicant tracking software which may see individuals using automated processing or profiling, created by your business or using a third party’s technology.
This may require measures such as pseudonymising (processing personal data in such a manner that the personal data cannot be attributed to a specific individual) or ensuring that the third party who supplies the technology complies with the GDPR.
The “Right to be Forgotten”
Data subjects will have the right to be erased from an organisation’s database, this will require a streamlined process following a data subject’s request to be erased. However, if your business is also holding personal data that is not intended for the purpose given by the individual, your business is required to delete it. In addition, a data subject will also have the right to object to their personal data being processed (such as online tracking and behavioural advertising). This will require businesses that use these mechanisms to obtain consent for these types of activities.
Mandatory Notification of Data Breaches
It will be mandatory to report all breaches of data protection to the Information Commissioner within at least 72 hours of becoming aware of the breach under GDPR, unless the breach is unlikely to result in risk for the rights and freedoms of individuals.
Therefore your current policies and processes will need to be reviewed and amended, including educating employees in relation to the reporting requirements. The GDPR also impacts on data processors as they may be liable to pay fines if they do not comply with their obligations, whereas they are not subject to obligations under the DPA.
Mandatory Data Protection Officers
Businesses whose core activities consist of processing sensitive data, or require regular and systematic monitoring of data subjects, will be required to formally appoint a Data Protection Officer. Sensitive personal data has been widened by GDPR to include retinal scans and fingerprints in order to keep up with developing technology.
Data Subject Access Requests
Businesses will be obliged to reply to data subject access requests within one month from the date of receipt of the request. If you currently receive requests on a regular basis, the timescales should be incorporated into the current processes.
What are the consequences of breaching GDPR?
Non-compliance with the GDPR has significantly increased the risk to your business. The current position under data protection law is that the UK can fine a business up to a maximum of £500,000 for breach of data protection laws.
However, the GDPR will create a new level of substantial fines on data processors and data controllers in two areas (it only used to be data controllers that were obliged to comply):
(i) up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever the greater) for violations relating to internal record keeping, data processor contracts, data security & breach notification, data protection officers and data protection by design and default; and
(ii) up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects’ rights and international data transfers.
Under the new accountability principle, the GDPR requires businesses to continually look at the degree of risk that their current processes may pose to data subjects. This requires time to implement. A failure to plan ahead could leave businesses struggling to comply with the GDPR which will bring serious consequences when it comes into force.
Please note this article contains general overview information only. It does not constitute, and should not be relied upon, as legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter.