EU GDPR Factsheet – Are You Ready for Data Protection Changes in 2018?
Posted on 11 Jan 2018
The GDPR will replace current data protection laws, including the Data Protection Directive (95/46/EC) (DPD), and will lead to the repeal of the UK Data Protection Act 1998 (DPA). GDPR provides increased privacy for individuals and gives increased powers to regulatory authorities to take action against data controllers and data processors who don’t comply with it.
The impact of Brexit will have no impact on the GDPR. Any formal UK exit from the EU is likely to occur after the GDPR becomes applicable law in member states in May 2018.
Moreover, if the UK negotiates to join the European Economic Area (EEA), the GDPR will continue to apply post-Brexit. If the UK does not join the EEA, the GDPR will in any event continue to apply to all UK entities that do business in the EU.
The deadline for GDPR compliance
is the 25th of May, 2018.
What Will the GDPR Involve?
Tougher Penalties
- Fines of up to 4% of annual worldwide turnover or £17 million (€20 million) – whichever is greater.
- Introduction of new criminal offences – intentionally or recklessly re-identifying individuals from anonymised data and altering records with intent to prevent disclosure.
Wider Remit
- GDPR applies to all organisations worldwide who: (1) provide goods and services to individuals within the EU (including free of charge); or (2) monitor those individuals’ behaviour. In practice, this means that firms established outside the EU but targeting customers inside the EU will have to meet GDPR standards.
- Data processors now have direct regulatory obligations.
- Definition of “personal data” extended to include identifiers such as: (1) genetic; (2) mental; (3) cultural; (4) economic; and (5) social identity.
Increased Rights for Individuals
- Right to be forgotten and erased from records – it is important collective action is taken and individuals details are removed from databases.
- Right to request a copy of personal data in a commonly used portable electronic format.
- Individuals have a right to withdraw consent and “it shall be as easy to withdraw consent as to give it”
Changes for Data Controllers
- Accountability – need to demonstrate compliance with the law and organisations must promptly (no later than 72 hours after it occurs) report data breaches to the Information Commissioner’s Office (ICO) (unless low risk to individuals rights) and, in high risk cases, to the individuals themselves.
- The need to keep data inventories, as well as much more extensive and specific documentation about exactly what you are doing with personal data.
- Mandatory appointment of data protection officers for certain data controllers.
- Privacy by design is required.
- Parental/guardian consent required to process children’s data.
- Reduced timeframe for controllers to respond to subject access requests and no ability to charge for such requests – information must be provided ‘without delay’ and at the latest within one month of receipt of the request.
- The possibility of being audited by the ICO.
Harmonisation
- Increased co-operation and consistency between EU regulators
- A ‘One Stop Shop’ for data controllers across the UK
How Can We Help?
Our specialist data protection lawyers can provide expert legal advice to public and third sector organisations and businesses. If not already done, we recommend all of our clients take the following steps to prepare for the upcoming changes:
- Audit the personal data held – where does it come from/go, who is it shared with, what consents are attached to it
- Review privacy policies, data contracts and internal policies
- Audit cyber security
- Develop and roll-out a breach notification procedure
- Undertake privacy impact assessments on all new data projects
- Ensure contracts involving any personal data are “future-proofed” against the new regime
- Conduct employee training
We can help with any or all of the above, or with any other questions or concerns that you may have about the new law. Please contact Claire Sumner at sumnerc@swaynejohnson.com or telephone her on 01745 818297, 07715 521804 or 01829 707884.
Download Our EU GDPR Factsheet
By Claire Sumner – A commercial lawyer who provides training on commercial law, as well as training on GDPR. Claire regularly reviews contracts to identify and advise on key risks and reviews and revises standard terms and conditions to ensure they comply with the latest consumer protection legislation.
Further News - Swayne Johnson Attend Business Basics organised by NetworkShe »