25th May 2018 sees the General Data Protection Regulation (GDPR) come into effect. GDPR, which replaces the Data Protection Act, introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules identical throughout the EU.
The thrust of GDPR is that companies must ensure personal data is processed lawfully, transparently, and for a specific reason. Once that reason is fulfilled and the data is no longer required, it should be deleted. You should note that “personal data” includes corporate email addresses and other contact details.
Fines under the existing Data Protection Act have an upper limit of £500,000. Fines under GDPR can be up to €20million or 4% of worldwide turnover, whichever is higher. In addition there are rumours that SMEs will be targeted first to ensure they are complying. So it’s worth spending some time reviewing your use and storage of data to ensure that you comply with the new Regulation.
The Regulation provides eight key rights for individuals:
- The right of access – individuals can request access to their personal data free of charge
- The right to be forgotten – individuals can ask you to delete or remove their personal data where there is no good reason for its continued processing.
- The right to data portability – individuals can transfer or move their personal data between service providers easily and safely, without obstacles to usability of the data.
- The right to be informed – individuals must know how you intend to use their personal data when it is being gathered, and they must freely give their consent to it. Their consent cannot be assumed or taken for granted.
- The right to rectification – individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the data to third parties, you must ensure that your customers are aware of the third parties to whom you have disclosed the data.
- The right to restrict processing – in some cases individuals can allow you to store their personal data but can also state that you are not allowed to process that data for any reason.
- The right to object – individuals have the right to object to your usage of their data.
- Rights related to automated decision making and profiling – this provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. You should identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.
So, what to do?
- Make sure all your senior people are aware of GDPR and allocate one senior person to take responsibility
- As you go through each of the following actions, ensure that you document everything and where appropriate you put in place processes to manage this on an ongoing basis
- Audit the data that you hold, how you hold it and with whom you share it
- Review your website privacy notice
- Plan a customer consent refresh campaign; and review how you will seek, record and manage consent going forward.
- Businesses should identify their third-party-data handlers and get all the information needed from them to ensure GDPR compliance. Don’t trust that because a supplier is a ‘big business’ this solves compliance issues; the biggest suppliers are also struggling with GDPR compliance, particularly if they are overseas.
- Review and update staff guidance and train them on the new rules.
- Consider how you handle employee data.
- Consider if your IT security can be improved and data minimised where not needed.
- Put together a data breach plan.
- Some businesses (particularly a business offering online behaviour advertising services or website analytics) will need to consider if they need to employ a new Data Protection Officer who is a quasi-legal and highly technical member of staff with a very specific and in-demand skill set.
The Information Commissioner’s Office has prepared a document on preparing for the GDPR. Click here for the document.