In April 2016 the EU parliament approved the General Data Protection Regulation (GDPR). It provided a two year transition period to ensure businesses could be fully compliant with the new regulations by May 2018. Now, with only a few months to go many businesses remain unprepared, and the cost of non-compliance could be significant.
GDPR aims to give EU citizens control over their personal data (any information related to an individual which can be used to identify that person) which is held by third party organisations. It recognises the sheer volume of personal data that is held and processed, and it addresses the shortcomings of outdated data protection legislation in the modern world.
GDPR applies to all businesses that process personal data and are either established within the EU or that sell goods or services to EU citizens. The UK’s commitment to GDPR pre-dates Brexit and UK businesses will need to comply.
The regulations identify two types of business: data controllers - organisations that collect data from EU citizens; and data processors, that process data on behalf of a controller. An example of the latter would be an outsourcing company who indirectly hold personal data in order to perform their outsourced activity. Under GDPR, data controllers must ensure that the data processers they use also fully comply with the regulations.
So what does it mean for local businesses?
Firstly, consent to hold personal information must be obtained in a clear and distinguishable manner, and not included within long-winded, technical terms and conditions. Existing consents held by business may no longer be adequate.
Individuals have the right to obtain confirmations from data controllers (ie businesses) if their personal data is being processed and details of the purpose. They may also request a copy of that information. Furthermore, the right to be forgotten entitles a person to have the data controller erase their personal data when certain conditions are met. It will be necessary, therefore, for businesses to be capable of identifying the information they hold on each individual.
Data security is an important factor of GDPR and businesses will need to review and, if necessary, upgrade their current security arrangements. Reporting data breaches will become mandatory, and it must be done within 72 hours of becoming aware of the breach, and informing the affected data subjects must be done ‘without undue delay’.
The appointment of a Data Protection Officer (DPO) may be required, but only where an entity (a) is a public body (b) carries out large scale systematic monitoring of individuals (c) carries out large scale processing of sensitive personal data.
GDPR preparation has been and will be a significant undertaking for most businesses especially those that will require the appointment of a DPO. It is vital for businesses to take the time now to review and implement data privacy measures before May 2018. Failing to take GDPR seriously could lead to penalties of up to €20M or 4% of your global annual turnover.
Doing nothing is not an option.