Data is without doubt the currency that now underpins the digital economy and GDPR recognises today’s data-driven world and the advances in technology over the last 20 years. It adopts a practical approach to balancing an individual’s concerns regarding the use of their personal data with lawfully unlocking the value businesses can get from that information.
For businesses already familiar with the current data protection regime (Data Protection Act 1998), GDPR represents an evolution rather than a revolution in approach. The changes under GDPR will likely mean that all businesses will need to assess what personal data they collect, why they collect it, what they do with it and how they dispose of it.
While GDPR is a European law, businesses should not consider they can ignore it given the possibility of Brexit. Theresa May stated clearly at the beginning of March that data protection was one of the five key foundations that would underpin the future relationship between the UK and the EU. Businesses should therefore regard any investment into moving towards GDPR compliance as a long-term investment, as any future data protection laws in the UK are unlikely to differ greatly from GDPR.
Data protection is increasing in importance for individuals. Consequently, businesses at all stages of the supply chain need to consider how GDPR may affect their internal data (e.g. employee records) and external data (e.g. their own or third parties’ customer data). The sanctions for failing to comply with GDPR consist not only of the headline-grabbing fines, but are also likely to include negative publicity and the costs of dealing with non-compliance (e.g. compensation to affected individuals) – factors which will probably have more business impact than the fines themselves.
The Information Commissioner’s Office has put together some extremely useful guidance on GDPR and this is freely available through its website – www.ico.org.uk
For more information on the issues raised by this article, contact Gareth at [email protected] or on 0113 205 6766.
Why is GDPR being introduced?
Put simply, there is more data around now than ever before and without access to that data businesses cannot function.
If you consider that the impact on your business of not being able to access any of your employees’ or customers’ personal data would have a significant, detrimental impact to your day-to-day trading then you should take GDPR very seriously and ensure that your business has implemented appropriate measures to protect your position.
GDPR balances businesses’ needs to use personal data with the rights of the individuals whose data is being collected. Thankfully, the provisions within GDPR are founded on six common-sense principles – which even if GDPR was not coming into force, most business would regard as prudent measures anyway.
In simple terms, the six principles are:
- To process data fairly and in a transparent manner;
- To collect and use data for legitimate purposes;
- To only collect the data you need for your specific purposes;
- To keep data you collect accurate and up to date;
- To not keep data for longer than you need it;
- To keep the data you collect secure.
If you can follow these principles within your business then you will go a long way to ensuring you are complying with GDPR requirements.
What should you do to prepare?
If you consider GDPR is relevant to your business, the following provides a high-level checklist of actions you may wish to take prior to May 25:
1: Carry out a data audit to identify all the personal data you collect and how you use it. This is probably the most important step you will need to take, as unless you start from a position of 100 per cent certainty as to what personal data you use it is going to be difficult to make sure you have covered all the requirements under GDPR.
2: Review your existing data protection documents (e.g. privacy notices; fair processing statements; standard terms and conditions) to ensure they continue to comply with GDPR. The rules on “consent” are changing and most businesses will need to revisit this provision if they intend to continue using this ground to justify processing in the future.
3: Establish a paper trail to demonstrate how your business complies with GDPR. This will include keeping details of training provided to employees through to details of any data protection impact assessments you have carried out.
4: Do you need to appoint a data protection officer as required under GDPR? Even if you are not required to appoint a DPO, GDPR will still apply – so who is going to be responsible for implementing and monitoring your ongoing data protection responsibilities?
5: Who within your business will deal with any breaches of GDPR? This is particularly important if you are the “controller” of data, as you will need to report breaches in certain circumstances to the UK regulator (the Information Commissioner’s Office) within 72 hours.
6: If you receive personal data from external sources or you provide data to third parties, do your current contracts properly cover your data protection obligations? If any of your transfers involve sending personal data outside the EEA (e.g. if your cloud software provider hosts your data in the US), you will need to consider legitimising the transfer of data outside the EEA (a process that can be simpler than it sounds!).