click here to find out what’s in this section
Top Tips for Data Protection from Thrings
Thrings has written a series of guides, top tips and Question and Answers to help steer you through some legal hot topics. To find out more and to view the rest of the Guides, follow the link at the bottom of this page.
The General Data Protection Regulation (GDPR) is the EU’s new data protection law. Replacing existing laws such as the Data Protection Act 1998 (DPA), it comes into force on 25 May 2018 and, barring any major policy changes in the next couple of years, will survive Brexit in 2019. UK businesses have 12 months to get up to speed and make necessary changes to ensure compliance. Here, we’ve put together tips to help you do this.
THE HEADLINE ISSUES
While the new GDPR brings about a number of important changes, the following headline issues require particular awareness:
“Privacy by design, privacy by default” – this maxim marks a fundamental change in attitude to personal data and means that businesses will have to hardwire both data protection and data minimisation into their operations.
Accountability – businesses will no longer need to “notify” (register) with their national data protection authority, but will now be required to document and demonstrate their compliance with the GDPR. Transparency and best practice are key and are as much about good customer care as technical compliance. Importantly, this applies directly to data processors as well as data controllers.
Increased fines – from comparatively low fines (e.g. the current UK maximum of £500,000), the GDPR will significantly increase penalties to €10m (2% of annual worldwide turnover) for minor or technical breaches, and €20m (or 4% of turnover) for more serious operational failures.
Tightening up of consent – businesses will no longer be able to rely on vague indications of consent such as pre-ticked consent boxes and confusing double negatives – and will instead need to ensure that consent is properly obtained and adhered to. Consent will have to be freely given, unambiguous, specific, informed and clear (and also explicit in the case of special categories of data, such as health and religion). Most businesses need not be overly concerned by these changes, however. The GDPR can be considered a reboot of the DPA so, in general, if you’re compliant with the current law, you’re unlikely to have much trouble meeting the new requirements. Over the next two pages we’ve compiled the crucial areas of change to note:
The GDPR effectively means that Data Protection is a key business function and must be overseen at board level. You should make sure that key people are aware of the changes in the law and appreciate how this will impact their role in the business. Data processors will find themselves more directly affected by the GDPR and less able to look to their data controllers for compliance.
You will need to be able to document and disclose what personal data you hold, together with the sources for that data, the purposes for which it is processed and the relevant consents for that processing.
Individual data subjects will have increased rights of access to their data. They will also be entitled to call for their data to be corrected, deleted and transferred to other businesses. Your procedures and policies may need to be reviewed and updated so that your business can respond in a compliant manner.
For each individual whose data you hold, and for each type of data processed, you will need to document and abide by the relevant legal basis for that processing. This basis will commonly be “consent” but not always – you will need to review how you are seeking, obtaining, recording and updating the basis for your processing.
The GDPR requires parental consent for children under 16 but allows Member States to lower this age limit to 13. The UK has indicated it is intending to adopt this lower age limit (which is widely seen as the de facto global cut-off) so you may need to be able to demonstrate how you verify individuals’ ages and parental consent where necessary.
You need to have procedures and policies in place to detect, report, investigate and resolve any breaches of an individual’s rights regarding their data. There is a new 72-hour deadline for reporting breaches. It’s important to note this is a strict time limit and does not take account of weekends, bank holidays, etc.
DATA PROTECTION IMPACT ASSESSMENTS
As part of “privacy by design, privacy by default” you may need to adopt and implement Data Protection Impact Assessments.
DATA PROTECTION OFFICERS (DPO)
While the GDPR doesn’t require every business to have a DPO, it is strongly recommended that all organisations appoint an appropriate individual tasked with oversight of data protection compliance. The DPO should be independent of day-to-day implementation and should have a direct line of communication to CEO/board level to report issues.
Businesses operating across borders may need to check which national data protection authority they are regulated by. Additionally, the GDPR applies to most businesses outside the EU dealing with data subjects in the EU.
At Thrings, we have extensive experience providing legal advice regarding data protection. To discuss how we can help you, or to learn more about the GDPR, please contact Graeme Fearon on 0117 930 9557 firstname.lastname@example.org