MOST businesses process data for some purpose, whether it is to deal with payroll, maintain their customer database or process customer orders online.
However, the landscape under which they will do so is set to change in the next two years.
The General Data Protection Regulation (GDPR) is a huge piece of legislation that was set to replace the UK’s 1998 Data Protection Act from May 2018.
It marks a tough new era in EU-wide data protection, with new powers for data regulators and much stricter operating boundaries for businesses that process personally identifiable information about individuals.
UK companies who imagine that Brexit will have changed the need for them to comply, should ignore the new
requirements at their peril.
It is possible that the GDPR will remain binding on the UK if it leaves the EU but becomes part of the European Economic Area (EEA).
Even if there is a “full exit” (ie out of the EEA as well), the Information Commissioner has stated that, irrespective of Brexit, the “underlying reality on which the policy is based has not changed”, so we can expect to see any new legislation which is brought in by the UK Government to be equally as stringent.
In a world of competing priorities, data protection is not always a key business focus, but businesses will need to make sure that they understand the changes that the GDPR will make and check that their approach to data protection is up to scratch.
We recommend that businesses, whatever their size, who trade in the EU or want to be able to transfer personal data in from the EU, use the requirements of GDPR as a minimum standard to be applied to their business.
The main provisions of the GDPR include:
Consent – an individual will have to make a positive action that demonstrates their consent, in order for their data to be collected. The consent can be withdrawn at any time, as individuals have ‘the right to be forgotten’. They also have the right to copies of any data being processed about them.
Transparency – more information will have to be provided by the processor from the outset about how data will be used and how long it will be kept for.
Accountability – there is a shift from risk management to compliance so organisations will have to be able to show that they are actively complying with the GDPR, not just identifying risks.
Breaches – in future, there will be a statutory obligation to notify the Information Commissioner and the individuals affected, if there is any risk to an individual’s personally identifiable information as a result of any breach. The courts will be able to impose a range of sanctions, including warnings (only for first time offenders and only for non-intentional non-compliance), regular data protection audits and fines of up to 20 million (or four per cent of worldwide turnover, if greater).
Children – no one under 13 can give their consent to the processing of personal data in relation to online services, so parental consent must be obtained. Depending on what rules the UK sets, parental consent may also be required for children under 16.
Businesses should start planning for the changes now and take advice on what it means for them.
Gardner Leader can help to ensure that you understand the regulatory landscape and how it applies to the business and help to implement changes that need to be made.
By Emma Ladd, senior associate in the corporate and commercial team at Gardner Leader LLP, in Newbury, Thatcham and Maidenhead. Follow @GardnerLeader, call (01635) 508080 or email www.gardner-leader.co.uk