The EU General Data Protection Regulation (GDPR) is the biggest ever shake up to data protection laws, yet many businesses feel unprepared.
by Neil Andrews, Partner at Coles Miller LLP*
The core objectives of the GDPR is to give individuals more transparency and control of their personal data and to unify the regulation within the EU. It is making companies across the EU think seriously about data protection.
With the GDPR’s introduction taking place in May 2018 and the UK not leaving the EU until 2019 at the earliest, Brexit will not affect the introduction of the GDPR in the UK.
The GDPR will replace the EU Data Protection Directive which was implemented in the UK by the Data Protection Act 1998. The UK Government has also confirmed plans to introduce a new Data Protection Act which should be read alongside the GDPR when it becomes available
This means now is the time to put the processes in place to ensure you are compliant.
It should be noted that the GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
All firms must appoint a Data Protection Officer if they carry out large scale systematic monitoring of individuals or carry out large scale processing of special categories of data or data relating to criminal convictions and offences. The special categories of data are set out in Article 9 of the GDPR.
Where feasible, breaches in data security must be reported within 72 hours to the National Supervising Authority (NSA). In the UK this is the Information Commissioner’s Office (ICO). The individual or individuals who are the subject of the breach should also be notified without undue delay.
Individuals have more rights and control as to how businesses use their personal data. In particular, they have the ‘right to be forgotten’, enhanced rights of data access and rights to data portability.
Failure to comply with the GDPR can now lead to heavier punishments than ever before; up to €20 million or 4 percent of the turnover of the company’s preceding financial year (whichever is higher).
Does it apply to you?
If you’re unsure of whether or not GDPR applies to you, consider how regularly you deal with personal data. That includes present and past employees and suppliers, not just client data.
If it’s a routine occurrence, then you should abide by the GDPR. In a nutshell, any businesses affected by the Data Protection Act (DPA) will also fall under the GDPR. The key difference between the DPA and the GPDR is that the latter will be much stricter in what is defined as personal data, the scope and the requirements.
Understanding the type of data that will be affected under the GPDR is one thing, but having to find out where that data is held may not be as easy.
For example, think of personal emails sent and received by your staff that may have been lurking on your server for years. Every piece of personal information held by your business needs to be identified – even if it’s on a mobile device or in the cloud.
You should also remember that the GDPR not only applies to digital data but also to physical data.
It’s a complex task, and data discovery technology can help. Many IT consultants are offering GDPR services and the Information Commissioner’s Office offers some helpful guidance.
A big plus to all of this is that you will probably emerge with more structured data and be able to monitor and manage it easily in future.
You’ll also be in pole position to respond to Subject Access Requests (SARs) – when individuals ask to see a copy of the information an organisation holds about them – and the ’right to be forgotten’, which may require you to identify and erase all of an individual’s data.
We asked Deacon’s parent company, Gallagher, one of the world’s most ethical companies, what GDPR means for bigger businesses and you can see some of their advice here.
* T: 01202 355697 Website: www.coles-miller.co.uk
The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited trading as Deacon accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.