Despite Brexit, an overhaul of data protection rules is to be implemented and these will apply from May 2018.
This will affect organisations of all sizes and small businesses could risk substantial fines if the new rules are ignored.
The new rules are designed to hand control of personal data to individuals rather than organisations.
The new rules define personal data as any information relating to a natural person which will include personal details, family and lifestyle details, education, medical details, employment details, financial details and contractual details.
Under the directive, special rules will apply to the processing of personal data that reveal racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership or health issues.
The issue of consent, which validates usual personal data, is also a significant development.
Organisations need to ensure that they are explicit when seeking consent and detail how they will use the information.
An individual’s silence or inactivity will generally no longer be considered as consent.
Businesses must be much clearer on how customer data is collected and stored.
They have to make it easier for customers to tell organisations to ‘forget’ them and must provide greater protection for children.
Any data breaches must be communicated within three days to the Information Commissioner’s Office, the Data Regulator.
Organisations need to start acting now to ensure that they are compliant.
In particular, they need to consider:
The penalties for not complying with the new rules will increase substantially and so action must be taken by businesses in the near future.
Depending on the level of the breach, fines can be up to £20m, or 4% of total annual global turnover based on the preceding financial year, whichever is the greater.
Data controllers and processors need clarity on what data they hold and how the personal data is used.
Businesses need to check that contractual provisions are in place with their clients and service providers to ensure compliance and adequate indemnities exist.