The General Data Protection Regulation (aka Greater Data Protection Requirements)
What is the GDPR?
The GDPR, or in its full name the General Data Protection Regulation, is law that will come into force on 25 May 2018. It will replace current data protection law, namely the current Data Protection Directive and the Data Protection Act 1998.
Getting into the spirit of the GDPR
Accountability and transparency are new principles which run through the GDPR. Businesses must be proactive rather than reactive. So, you must be able to demonstrate compliance with the GDPR by having data protection policies; data protections training for staff; data audits; and data protection assessments.
Broadly, what does that mean for you and your business?
If a business or organisation collects, records, uses, stores or processes personal data (including employee or customer data) of data subjects based the EU, then the GDPR will apply. It applies even if a business is based OUTSIDE of the EU.
Great, so the specifics are…
There are two types of data handler:
1. Data controllers- meaning, those who determines the purposes for which data is processed) Therefore, the person who has responsibility for data protection.
2. Data processors- meaning, the person who processes the data on behalf of the data controller (e.g. HR officers and IT companies)
The GDPR, unlike the current law, will give data processors direct liability for sanctions if they fail to meet the given obligations. These will include having to maintain a written record of processing activities carried out on behalf of each controller and a breach notification obligation under which processors must notify the controller on becoming aware of a personal data breach without undue delay.
Data Subjects- More Control
The GDPR defines a data subject as ‘the identified or identifiable person to whom the personal data relates’. It will enhance the rights of data subjects which will include the right to correct data about them which is wrong, the right to restrict certain processing and a right to be forgotten/erasure.
In addition, data controllers have an obligation to respond to data access requests within a month, as opposed to the 40 day period given under the Data Protection Act 1998.
The GDPR defines consent as a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of his or her personal data. It is not yet clear if there is any scope for implied consent to be valid.
Data subjects also have a right to withdraw their consent at any time, although this will not affect the lawfulness of any processing carried out before the withdrawal.
Sanctions, Consequences, Penalties
The penalties for breaching the GDPR are steeper than the current law for supervisory authorities. Both data controllers and third-party data processors can face hefty sanctions with the maximum fine limit for the most serious cases of up to €20m or 4% of an organisation’s global turnover (whichever is the greater)! Some contraventions will be subject to administrative fines of up to €10,000,000 or, in the case of undertakings, 2% of global turnover, whichever is the higher. Administrative fines like these discretionary rather than mandatory.
Any person who suffers damage as a result of infringement of the GDPR will have the right to receive compensation for both financial and non-financial losses from the controller or the processor. Currently, liability for compensation falls only on the controllers.
Where an accidental breach of personal data has occurred, data controllers must notify most data breaches to the ICO (Information Commissioners Office). Data processors who breach the Regulation will also have an obligation to notify the relevant controller. In both cases this must be done without undue delay and, where feasible, a controller should notify the ICO within 72 hours of awareness.
What to do next?
If reading about these updates has got you worried and wondering if a career switch is the best way to deal with the regulations, you have nothing to fear. Give us a call or drop us an email and we can help you plan the best strategy for the success of your business whilst ensuring that you remain in line with future regulation.
Kleyman & Co Solicitors. The full service law firm. For your good business decisions and your not so good ones!