You may have heard a lot of talk about the new General Data Protection Regulation (“GDPR”) that is due to come into force in May 2018 and will replace the current Data Protection Act (“DPA”). This new regulation heralds an enormous change to an individual’s right to privacy and will have a significant impact on the way in which you need to run your business.
Whilst the legislation behind this comes from the European Union, Brexit will not prevent this legislation coming into force in the UK, indeed our government has confirmed that it will continue to apply following Brexit.
The introduction of the GDPR is seen as necessary to deal with technological changes since the DPA was introduced back in 1998 (the year in which Google first launched and Facebook and Instagram were but a distant dream).
The GDPR will introduce some significant changes to the data protection regime, and businesses in the UK should be starting to review whether they are compliant with the new framework. One of the key changes that GDPR will introduce is the level of penalties for non-compliance; in the event of a data breach, the potential fines could be up to Euro 20 million or 4% of your global group turnover (whichever is higher).
A lot of the principles embodied by the GDPR and the DPA are very similar and for those businesses who have good processes and policies in place to comply with the DPA the change between the regimes should not be too taxing. That said, it is key to understand that compliance with GDPR is not just a box ticking exercise, in the future privacy and the risk of privacy breaches will need to be considered at every step in the development of new ideas and through their execution.
So What Can You do to Start Getting Ready for GDPR?
The Information Commissioner’s Office (the body in the UK with responsibility for enforcement of the DPA and GDPR) has set out 12 areas for businesses to start looking at:
- Awareness - Ensuring that your business and key stakeholders in your business understand that the law is changing and the likely impact on your business;
- Audit - understand and document what data you hold, what you do with it and who you share it with;
- Privacy notices - the GDPR requires greater transparency in relation to telling individuals what you are going to do with their data, what you are using it for and how long you will be keeping the data. You will need to review your privacy notices to ensure they are reflective of your use of data;
- Processes for new rights – the GDPR will give individuals rights to request that data be deleted and or for data to be portable and provided electronically and in a commonly used format - you will need to check whether your procedures can deal with this;
- Subject Access requests – the timescales for responding to subject access requests (requests for information from individuals about the data you hold on them) has been shortened and the information that can be withheld has been amended – again, you will need to consider your processes around this;
- Reason for processing – As with the DPA - you can only process data if you have a lawful basis to do so (e.g. consent of the individual) – you will need to identify and document this.
- Review consent – the GDPR raises the bar in relation to what consent from individuals means – you will no longer be able to simply infer consent from an action or a failure to untick a box – consent needs to be freely and unequivocally given. Again, you’ll need to consider and review your policies. You may also want to refresh consents that have already been given.
- Children - if you deal with children, you need to consider putting in place systems to verify ages and ways in which to get parental or guardian consent to processing;
- Data breaches – under the GDPR, there is a requirement to notify the ICO (and in some circumstances the individual) within 72 hours of a data breach happening – you will need to review your processes to ensure you’re able to comply with this.
- Privacy by design – one of the key elements of the GDPR is that privacy is to be “hard baked” into processes and methodologies and that privacy impact assessments are undertaken prior to undertaking new processing methods to understand the risk to that data.
- Data Protection Officers – certain organisations (such as those that carry out regular and systematic monitoring of individuals on a large scale and public authorities) are required to appoint a Data Protection Officer. However, even where you are not obligated to appoint a DPO, you should designate someone in your organisation to have responsibility for compliance with GDPR.
- Lead Authority – if you operate internationally, you are able to appoint a lead authority to deal with in terms of your data protection compliance.
..But What Exactly does That Mean for My Business?
Whilst the ICO is providing guidance for businesses, this is being added to on a regular basis, so all businesses need to keep an eye on developments to make sure they are compliant when the regulations
come in to force.
However, that caveat in place, I think there are five things that all businesses should be doing now to ensure that are as prepared as they possibly can be for the time when more
detail is made available:
- Businesses need to understand what personal data they hold on individuals and where it is held. Types of data to consider include: customer account information for retail businesses, CV databases for recruitment agencies, marketing databases and the content of your CRM and email address books wherever they are held (on phone or email systems). The potential data stores are defined only by your business processes and you really should consider everything you do, no one business will be the same as another. Serious introspection is required and you should be able to demonstrate that you’ve conducted a data audit.
- You need to ensure you have an environment and processes that keep the data you identify as safe as it can be. Consider what options are available to you and take steps to make sure your data is held securely – document your decisions.
- You need to document and live by processes that can help you manage the data you hold safely. Data should only be accessible for valid reasons and should have adequate security. You will also need processes that will enable you to provide or delete any held data upon demand. Make sure your processes for the management of data are documented and that people within your business know what you expect of them in this regard.
- Ensure that you have gained permission from consumers if you plan to send out email marketing campaigns. Just because someone has bought something from you in that past it doesn’t mean you can keep sending them marketing emails – you need to ensure they actively consent. So review your existing marketing lists for consent and if you don’t have it develop a strategy to help you gain it.
Richard Parkinson is Partner and Head of Commercial at Manchester law firm JMW. If you’d like to discuss GDPR or any other commercial issue with him please contact him on 0345 872 6666.