Data Protection laws are changing.
You may have already heard of the GDPR or General Data Protection Regulation which will take effect from the 25th of May 2018. The GDPR is a new piece of legislation from the European Union which will replace the current UK Data Protection Act or DPA (1998). Britain’s decision to leave the EU will not affect the implementation of this new law, which will apply to companies across the world that process personal data belonging to citizens from the EU.
This means that not only will the GDPR apply to businesses within with European Union, but also to organisations in the rest of the world who provide products or services in the EU.
Who will be affected?
The new law applies to any organisation handling the information of EU citizens although if you are currently affected by the DPA, you are likely to be subject to the GDPR. More specifically, the GDPR outlines ‘controllers’ and ‘processors’ of information. Under the regulation, controllers are defined as those who decide how and why personal information is processed while the processor acts on their behalf. These definitions are similar to those under the Data Protection Act however, controllers and processors will have new obligations under the General Data Protection Regulation.
Under the GDPR, processors will be responsible for maintaining records of personal data and will be liable for any breach in the way the information is handled. Controllers on the other hand, will have the added responsibility of ensuring that they comply with the GDPR when dealing with processors.
What data will it apply to?
The General Data Protection Regulation will apply to personal data however, its definition of this type of data is a lot more detailed than that outlined in the Data Protection Act. The definition of personal data from the GDPR includes information that can be used to identify an individual such as IP addresses and economic, genetic or cultural information.
The GDPR also specifies the formats that the regulation applies to. The new law will cover both automated data stored on computer systems and data stored manually in physical filing systems.
While the new law will not apply to data that is processed for national security reasons or personal activities, the majority of personal information used by businesses will be subject to the GDPR. It will therefore be difficult for companies to avoid complying with the new legislation from next year.
Changes to consent when collecting personal data
The General Data Protection Regulation will also change the way that organisations can collect data. The legislation will require all companies to be able to prove that they have consent when collecting personal data. In order to obtain valid permission, organisations will have to use language that is easy to understand when requesting consent from an individual to collect personal data. They will also be required to clearly state how the data will be used.
Changes in the workplace
Many organisations may find that the GDPR results in little change in the way that they store data as they are already complying with the current legislation. The way that contact details, databases or HR records are stored is likely to remain unaffected.
Other organisations including public authorities however, will be required to implement a number of changes. These organisations will need to appoint a Data Protection Officer or DPO when processing personal data on a large scale. Instead of focusing on the size of the organisation in terms of employee numbers, the General Data Protection Regulation will focus on the scale of information and how it will be used.
The General Data Protection Regulation also requires all systems, software and processes to comply with the new legislation. They will have to include privacy by design, an example of which would be ensuring that data can be erased if requested by the individual.
Another change that the GDPR may bring to the workplace is the introduction of Privacy Impact Assessments or PIAs. These assessments will be carried out to minimise breaches of data in situations where there is a high risk of a breach. The controllers within an organisation will be required to carry out PIAs before starting projects involving personal data and they will also need to work closely with Data Protection Officers to ensure that they are complying with the GDPR throughout the project.
The long-term use of data
Under the General Data Protection Regulation, organisations will be prohibited from storing data for longer than is necessary and will be required to delete information if requested to do so by the individual. Organisations will not be allowed to change the purpose for which they originally collected and used the data. In order to use the data for a different purpose, organisations will be required to attain fresh consent from all of the individuals whose data the change affects.
Consequences of non-compliance
Organisations across the UK and globally will be required to comply with the General Data Protection Regulation and the consequences of failing to do so could be severe. The European Data Protection Authority will be able to take action against organisations anywhere in the world who fail to comply with the legislation. Non-compliance could result in organisations receiving fines of up to €20 million Euros or the equivalent to 4% of their yearly global turnover. Failure to attain valid consent could also result in any personal data handling activities being shut down by the authorities.
How can I prepare my business?
The introduction of the General Data Protection Regulation may seem daunting at first glance but there are some simple steps that you can take to prepare for the changes ahead. Firstly, you should check that your current data protection procedures are up to date and comply with the current legislation. Ensure that your organisation can demonstrate that it has effective procedures in place to prevent any breaches of personal data. It may also be necessary to provide training to employees on the updates to data protection laws and ensure that they understand the procedures in place within your organisation for handling data.
The ICO has created a 12-point plan for businesses to follow in order to comply with the GDPR that you may find useful.