Is your business ready for the GDPR changes?
The General Data Protection Regulation is now in force as of 25 May 2018 and has introduced sweeping changes to the way that businesses and organisations can hold data and information, strengthening protection for individuals. Non-compliance with the new rules can mean a significant fine for business and organisations.
A number of changes to the way businesses hold data will need to be considered by business owners.
Companies will be held accountable in greater ways when handling personal information
Companies should have data protection policies in place and should be ready to face assessment and evidence showing how information is handled and processed. In the UK, the “destruction, loss, alteration, unauthorised disclosure of, or access to” data must be reported within 72 hours to the Information Commissioner’s Office (ICO) where a detrimental impact (such as financial loss and damage to reputation) could occur.
If your business has fewer than 250 employees, you will be required to document processing activities that are not "occasional", those that could pose a risk to the rights of individuals, or involve processing of data falling within the "special categories" or criminal conviction data.
If your business has more than 250 employees, it is necessary to have documentation regarding all processed data, including the nature of the information being held, the purpose of it, and the security measures in place.
Companies that engage in wider-scale data processing will have to keep detailed documentation on all processing, regardless of their size.
Companies should prepare for Privacy Impact Assessments
Data Privacy Impact Assessments (DPIA) will be required in certain circumstances, such as instances where a new technology is being deployed; where profiling may have a significant effect on individuals; and where there is processing on a large scale of “special categories” of data.
Special categories of data can include information pertaining to:
- sexual orientation;
- sex life;
- genetics; and
- trade union membership.
Even if a business may not necessarily require a mandatory DPIA, it would be a worthwhile exercise to conduct an assessment to ensure full compliance with the new regulations.
It will become easier for individuals to access data held about them
Under the new GDPR rules, an individual is entitled to request information held about them at no cost. Businesses will have one month to provide the data.
Individuals may also request the deletion of information pertaining to themselves in situations where that information is no longer relevant to the purposes in which it was originally collected, or if the individual withdraws their consent.
Individuals will have their rights bolstered
Under GDPR, individuals are entitled to:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
Most of the rights have already been enforced in some capacity through previous data protection laws, however, the right to data portability is a new inclusion which is the right for an individual to receive information concerning them, and to request that it be transferred to another organisation. The right to data portability only applies in circumstances where data processing has been automated.
What happens if you don’t comply
Fines imposed can amount to 4% of global annual turnover, or €20 Million, whichever is greatest. Fines of that level will be imposed for the most serious of breaches, whereas fines for less serious breaches may be around 2%, and will take a tiered approach.
What do you need to do for your business
Business owners should take a number of steps to ensure compliance with the new GDPR rules ahead of their implementation, as follows:
- Ensure that directors and business managers are aware of the coming changes to data protection.
- Make comprehensive records of what data you hold.
- Review current privacy and data protection policies.
- Review procedures for access requests and how the new rules affect them.
- Identify the lawful basis for which you are processing and storing data.
- Review and document the means by which you attain and retain consent.
- Ensure that there are procedures in place to detect potential data breaches, and a method by which to act upon them.
- Businesses should consider appointing a data protection officer, or assigning these duties to a member of their organisation in order to assess and maintain systems in place. Note that some organisations such as public bodies, businesses that conduct monitoring on a large scale and businesses that process large amounts of individuals’ data will be legally required to appoint a data protection officer.
The penalties imposed for non-compliance with the new GDPR rules can be severe, even for small businesses. If you require assistance in ensuring your business is ready for the changes, you should contact one of our experts at the earliest possible opportunity.
To discuss any of the issues raised above, contact Keith Kennedy on 0161 735 3500 or make an enquiry.Subscribe to our newsletter
Please note that the information and opinions contained in this article are not intended to be comprehensive, nor to provide legal advice. No responsibility for its accuracy or correctness is assumed by Pearson Solicitors and Financial Advisers Ltd or any of its members or employees. Professional legal advice should be obtained before taking, or refraining from taking, any action as a result of this article.
This blog was posted some time ago and its contents may now be out of date. For the latest legal position relating to these issues, get in touch with the author - or make an enquiry now.