Wondering if the upcoming GDPR will it affect your business? Don’t worry – we’ve got all the information you need to know about GDPR and how to get you and your business prepared.
What is the GDPR?
The GDPR is a total change in legal requirements which must be met by anyone who handles the personal data of EU citizens. This includes employee records, customer information, and client databases. The purpose of the new regulation is to give people greater control over what happens to their data while placing more legal responsibility on you as a business when it comes to handling it.
Who will the GDPR affect?
The GDPR (General Data Protection Regulation) is significant for any organisation, business or charity that handles the personal data of individuals that are either employed or related to that organisation in any way. It’s really important that you understand the ins and outs of how GDPR will affect your business.
Summary of the Data Protection Law Changes
The current laws around data protection will no longer be the guidelines once the law changes, so it’s important you recognise the difference between the old laws and the changes.
The Data Protection Acts of 1988 and 2003 state that any person handling personal data regarding a living person on a computer or in a physical file has to follow these 8 obligations:
- To keep data secure at all times
- To make sure data is kept accurate and up to date at all times
- To ensure that the data maintained is relevant and not excessive
- To handle all data fairly
- To store data for one or more explicit and lawful uses
- To use and disclose data in accordance with point 5 above
- To keep data for no longer than necessary; and
- To give each individual a copy of their personal data on request.
Under the new GDPR regulations, these obligations will change to the following:
- To process personal information lawfully, fairly and transparently
- To collect data for specified, explicit and legitimate purposes
- To minimise data collection to adequate and relevant purposes
- To ensure all data is accurate, and when necessary, kept up to date
- To retain data only for as long as needed
- To process all data with integrity and confidentiality.
A GDPR compliance checklist for Your Organisation
As the GDPR will place more legal responsibility on you as a business when it comes to handling data, you’ll need to comply with the new obligations. Failing to do so can result in some pretty eye-watering fines.
Understanding how to make sure you’re compliant is crucial. Here’s a handy checklist which will help you figure out whether or not your company is handling data correctly as per the GDPR regulations.
- Do you have clear consent from individuals for the data you hold about them?
- Under the new rules the requirements for consent are a lot stronger. Any request for consent from a consumer to process their personal data must be easy to understand and transparent.
Data protection officers
- Is your organisation part of public authority?
- Do you conduct large-scale systematic monitoring (including employee data) or process large amounts of sensitive personal data?
- Where ‘large scale’ processing of data is evident a dedicated DPO (Data Protection Officer) needs to be appointed.
- Are you responsible for processing personal data?
- Under the GDPR, you’ll have a greater legal duty to protect that data. You’ll need to keep records of personal data and how its processed. You’ll also need to ensure that any third-party contractors comply with the GDPR.
- How will you meet the requirements for new rights; the ‘right to be forgotten’, the ‘right to data portability’, and the ‘right to object to data profiling’?
- You’ll need to show that you can comply and reassure individuals that these rights have been met (including notifying third-parties).
- Do you have a data protection programme and are you able to provide evidence of how you will comply with the requirements of the GDPR?
- Measures to protect personal data are now the responsibility of the data controller and data processor.
Mandatory breach notification
- Would you be able to tell a data protection supervisory authority about a data breach within 72 hours?
- You’ll need easy to use and efficient processes that allow you to report and manage communications with affected consumers quickly and accurately.
When do the current laws on Data Protection change?
On May 25th, 2018, the EU General Data Protection Regulation (“GDPR”) comes into force.
What are the fines for GDPR infringement?
If you don’t comply with GDPR after May 25th, 2018 you run the risk of the following financial penalties:
Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be enforced for the most serious infringements and includes not having sufficient customer permission to process data.
For smaller infringements, a company can be fined 2% for not having their records in order. The same fine applies in cases where they didn’t notify the supervising authority and data subject and did not conduct an impact assessment.
It’s important to note that these rules apply to people that both control and process data.
Getting GDPR ready: what else should you be aware of?
- Consent – The GDPR will significantly raise the bar for what valid consent means so that it’s freely given, specific, informed and unambiguous.
- The definition of personal data will be broadened to include online identifiers such as IP address, Cookies and RFID tags.
- Lawful Processing – The GDPR will make it harder for enterprises to fall within the existing justifications for processing data.
- They’ll be additional rights for Data subjects/Individuals – the right to data portability, right to be forgotten, right to restrict the processing of data in certain circumstances and reduced timeframes for Data Protection requests.
- Mandatory obligation to designate a Data Protection Officer for certain organisations.
- Data Processors will be regulated and can be liable for claims taken by Data subjects/Individuals and for sanctions in terms of breaches of GDPR.
- GDPR requires a data controller to notify the Data Protection Commissioner of any breach without within 72 hours where feasible. The same rule applies in the case of Data subjects/Individuals without undue delay where there are risks to their rights and freedoms.
- The sense of accountability is part of GDPR. Organisations are required to use data protection “by design” and “by default” which requires taking data protection risks into account when creating all new processes, products, and services.
- GDPR will apply to any enterprise which processes the personal data of Data subjects/Individuals of EU Citizens whether established in the EU or not.
Will Brexit impact GDPR?
The GDPR aims to protect EU citizens’ personal data, regardless of country borders or where the data is processed. The new rules expand on the 1995 Data Protection Act with a broader definition of personal identifiers, such as an IP address, which is now classified as personal data.
Businesses based outside the EU will still need to meet GDPR rules if they have EU customers. The UK’s decision to leave the EU will not affect the need to comply with GDPR.
How to prepare for GDPR
Preparing for GDPR can feel like a lot of complex work that needs doing in a short amount of time. With the deadline looming, don’t get overwhelmed by the pressure – there’s help available.
At Gibson & Associates, our fully-trained and accredited GDPR data protection solicitors can make sure your company or organisation is ready for the new legislation. We’ll help you avoid the eye-watering fines and compensation claims from customers – letting you get on with what you do best.
With these 4 steps, this is how our expert solicitors will help you:
- GDPR Health Check:
Once we’ve received your completed pre-audit questionnaire, we’ll start the GDPR Health Check phase. This first phase is basically an audit/risk assessment.
We’ll need clarification of the scope and nature of your company, its business and data lifecycle from the entry point to exit/destruction.
We’ll also need to conduct a number of interviews, along with auditing your systems, processes and policies. The areas covered by the audit and those specifically not covered need to be identified in the pre-audit questionnaire (e.g. finance, HR, etc.).
- The path to GDPR Compliance:
This exercise will follow the results of your GDPR Health Check. We’ll create a recommendations report or action plan that will provide you with a clear path to become GDPR compliant.
This report will list, chronologically, the actions that need to be taken. It will also highlight how these actions will end up in compliance. It’ll also highlight the risks associated with not implementing them.
- Drafting/Amending of GDPR Procedures & Policies:
The GDPR Health Check and Path to GDPR Compliance will have identified which of your processes/policies need to be reviewed and updated, or created, etc. This phase may also include the drafting/amending of existing employee/data processor contracts in light of GDPR.
- Outsourcing of DPO ROLE:
This option involves outsourcing a Data Protection Officer. This service will be provided in a more focused time period, subject to your needs/preferences, than an in-house DPO. It may be the case that this service is only needed for a limited time.
Contact our team today
If you need to make sure your business is data compliant, we’re here to help you. Our solicitors have expertise in all aspects of Cyber & Privacy Laws, Reputation Management, and Data Protection Laws, and we’ll make sure you get your business protected and secure ahead of the GDPR regulations.
Talk to us today – make an enquiry below, and we will contact you within 3 hours or less.