South: GDPR explained as the deadline draws nearer

What is the GDPR? The General Data Protection Regulation (GDPR) comes into force on May 25, 2018, and is intended to harmonise European data protection laws, which makes it easier for EU citizens to understand how their data is being processed and raise any complaints.

Partner Debbie Brett, in Reading-based Blandy & Blandy LLP’s commercial & regulatory team, outlines GDPR and its implications. She writes:

The new regulations provide many businesses with a great opportunity to re-evaluate how they approach data protection and implement substantial technical changes to avoid potential substantial penalties.  

Why is the GDPR needed?

Storing data is no longer as simple as it once was. We no longer store all data in one structured database and given the complex way that many individuals and companies store data now (emails, photos, social media, cloud storage, etc.), legislation has need to be updated to manage how this data is processed. 

Given that information now becomes available across the world instantaneously and no longer respect national boundaries, it has become necessary to develop EU wide legislation.

Who will the GDPR apply to?

The GDPR will apply to any business, whether established inside or outside the EU, which offers goods and services to EU citizens or monitors their behaviour.  With Brexit looming over the United Kingdom, please be aware that the GDPR will still apply post Brexit. 

Data Protection Act 1998 (DPA) vs GDPR

Similarities:

The GDPR retains the core rules and principles of the DPA regarding the processing of personal data including the following existing rights:

• of individuals to access their own personal data
• of objecting to direct marketing and
• Allowing individuals to rectify inaccurate date

Differences:

• Appointment of Data Protection Officer (DPO) - Certain organisations (a public authority; the activity of the controller require regular and systematic processing data on a large subject or where the controller processes sensitive data relating to criminal convictions on a large scale) will be obligated to appoint a DPO is expected to be at an executive level and will assume responsibility for meeting the GDPR obligations.
• Financial penalties - Companies can now receive fines which may be levied to the higher of €20 million or 4% of annual worldwide turnover for data breaches. Individuals can also claim compensation from organisations for financial loss or distress suffered.
• Accountability and reporting duties - Companies will now need to keep accurate records to demonstrate that they comply with the GDPR. The extent of records will depend on a number of factors including:
  • The size of the company
  • The sensitivity of the data being transferred; and
  • The level of risk relating to the type of data being transferred.

• Companies will need to report any security breaches to the affected individuals without delay and to their regulator (the Information Commissioner’s Office for companies in the UK) within 72 hours.
• Accountability and reporting duties - Companies will now need to keep accurate records to The new legislation has become more difficult to obtain valid consent to process sensitive personal data from individuals. The individual must be able to withdraw their consent at any time. A child will not be able to consent unless authorised by a parent.

Steps to take now

In order to prepare for the GDPR, businesses should consider taking the following steps: 

• Identify key data that needs to be protected and understand the possible risks of storing that data
• Evaluate who has access to this data
• Create suitable policies that enable the company to protect its data and to ensure its security
• Ensure high default privacy settings are built into new company processes to prevent any data breaches
• Appoint a Data Protection Officer if required

For those currently compliant with the DPA who have proactive data protection policies, the updates needed are very achievable, and in any event, we recommend that businesses start undertaking the steps above as soon as possible.

Blandy & Blandy can help in reviewing businesses’ current levels of compliance, assessing any vulnerabilities and drawing up an action plan to meet the GDPR. In particular, the firm regularly assists in drafting and updating key documents and policies as well as providing training to staff to help clients to continue to meet their data protection obligations. 

For further information or legal advice, contact debbie.brett@blandy.co.uk or visit www.blandy.co.uk