Act now to be ready in time for major new personal data regulations
Demanding and sweeping changes to the way organisations can store and handle personal data come into effect on 25 May 2018 making it vital that preparations begin as soon as possible to ensure compliance.
The EU General Data Protection Regulation (GDPR) will replace the Data Protection Act (DPA) and will affect all firms that deal with customer data in virtually every sector.
The aim of GDPR is to overhaul and modernise current data protection laws, which date back to the pre digital 1990s when only the largest organisations had the means to collect and store significant amounts of data.
Now, many organisations - including thousands of small and medium sized enterprises (SMEs) - routinely collect personal details, store, move and access them online and use personal data in sales and marketing and customer relationship management.
Major data breaches have become increasingly common including the theft of names, birthdates, emails and addresses as well as social security, pension and bank account details.
How will GDPR affect UK firms?
It will reach much further than existing data protection laws and the main changes are the introduction of increased accountability for both data controllers and data processors, the need for consent, hefty fines up to a maximum of £74 million or four per cent of global turnover for noncompliance and new rights granted to individuals regarding the use of their personal information (which will be much more broadly defined).
- It tightens up rules on consent. From May, organisations must keep a record of how and when someone actively gives consent to store and use their personal data including saved consent forms and screen shots to prove it. Silence or the use of a pre-ticked box will no longer be enough;
- It gives people the right to withdraw their consent at any time and when they do, their details must be permanently deleted;
- If a data breach occurs, organisations must inform the relevant authorities within 72 hours;
- Some organisations will be required to appoint a data protection officer.
In a nutshell, GDPR means organisations must know what data they hold and where it is stored, be able to totally remove it if a request is made to do so and have the procedures in place to respond to any security breaches speedily and effectively.
What should organisations do to prepare?
According to a recent survey, 66 per cent of UK organisations either have no idea what GDPR entails or have no plans to begin preparations. And there has certainly been confusion about what organisations' obligations will be.
Key steps businesses should take before the May 2018 deadline include:
- Looking at all internal operations that involve the handling of secure data paying particular attention to email addresses and personal contact details and implementing new policies and procedures where necessary;
- Identifying any areas that might be at risk of a data breach and looking at ways to minimise this;
- Training relevant employees about the key changes and bringing in software to improve security;
- Understanding which EU authorities breaches must be reported to as failure to do so may escalate sanctions, penalties and fines.
But what about Brexit?
Many have mistakenly assumed that because GDPR is an EU framework, it will not apply to UK businesses post Brexit. But the Government's Statement of Intent for the new Data Protection Bill published earlier this year has confirmed it will be enshrined in full into UK law.
So time is of the essence.
For help and advice about what you can to do prepare for GDPR please contact Wards Solicitors' Business Employment team.