GPDR - Why your business needs to take note

A lot of the processes and principles introduced under GDPR are much the same as those under the current DPA, which the GDPR is replacing. Therefore, if your business is compliant now, you are on your way to compliance under the GDPR. However, there are some new elements and significant enhancements, which means you will need to take early steps to review your current policies and procedures."
Philip McBride, Partner, John McKee Solicitors

If your organisation or business collects, records, and stores personal data and undertakes processing activities with this data, then you need to be aware of the new General Data Protection Regulation (GDPR). GDPR is already in force in the UK but will not be enforced until 25th May 2018. The government has confirmed that the UK’s decision to leave the European Union will not affect the start of the GDPR. Philip McBride, partner at John McKee Solicitors in Belfast, provides an overview of the new rules. 

Who does GDPR apply to?

The GDPR applies to data ‘controllers’ and data ‘processors’. The definitions are broadly the same as under the Data Protection Act (DPA) – i.e. the controller determines how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.

Implications of non-compliance

Failure to consider the implications of GDPR on your business can result in more than a slap-on-the-wrist - it will likely result in heavy financial penalties and media scrutiny. Under GDPR, organisations in breach can be fined up to 4% of annual global turnover or €20 Million (whichever is greater) A data breach can also lead to a criminal conviction, damages claims against you and your business, job losses, loss of existing and future clients, damage to the reputation of your business and at worst, complete business failure

You may also be interested to read...

• Is your customer data an accident waiting to happen?
• Big changes to Austria's data protection laws

Steps to take to get ready for GDPR

The first thing to note is that a lot of the processes and principles which have been introduced under GDPR are much the same as those under the current DPA, which the GDPR is replacing. Therefore if your business is compliant now, you are on your way to compliance under the GDPR. However, there are some new elements and significant enhancements, which means you will need to take early steps to review your current policies and procedures.

The ICO (Information Commissioners Office) is the organisation that oversees privacy regulation and the DPA in the UK. It has published 12 key steps you can take now to get ready for the incoming regulations:

1. Awareness – at board level and throughout the organisation everyone needs to be made aware of the changes and impact of GDPR. There must be a concerted effort across the whole organisation

2. Information you hold – what information do you hold and how did you collect it? If you have not already undertaken an information audit you need to start the process now

3. Communicating Privacy Information – Do you have a Privacy Policy and do you issue Privacy Notices? These should be reviewed and appropriate changes made to ensure compliance

4. Individuals Rights - You should check your procedures to ensure they cover all the rights individuals have, including how you will delete personal data or provide data electronically and in a commonly used format

5. Subject Access Requests - You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information

6. Lawful basis for processing personal data - You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it

7. Consent – Conditions for consent have been strengthened and you should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it

8. Children - You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity

9. Data breaches - You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Breaches must be notified within 72 hours of first becoming aware

10. Data Protection by Design and Data Protection Impact Assessments - At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition

11. Data Protection Officers - You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer

12. International - Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.

Having a clear, documented strategy on how your organisation’s data activities meet the GDPR and existing privacy law, will become essential. If you care about your business you will care about what GDPR means and how to ensure your business is fully compliant when 25th May 2018 comes round.

Get advice on GDPR

For advice on how to ensure your business complies with the new GDPR, please contact Philip McBride at John McKee on +44 (0)28 90232303.