The biggest change to data privacy in 20 years

The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018.  Some of the changes, in particular the requirement for accountability, will leave many businesses with a lot to do if they are to be sure of compliance. 

The UK will adopt all EU legislation at the point of Brexit, so this regulation will continue in its current form unless and until the UK chooses to amend it.  As it provides a uniform approach across Europe, this is seen as beneficial to businesses operating within Europe or dealing with European businesses.

The Information Commissioner has published a guide, which highlights key steps to take now. 

The GDPR introduces a number of new concepts and approaches, although many existing core Data Protection Directive principles will remain unchanged.  Some of the key new provisions are:

  1. Wider scope – Non-EU data controllers and data processors will be subject to the GDPR when offering goods or services to, or monitoring behaviour of, EU data subjects.
  2. Increased enforcement – Fines for non-compliance will increase significantly.  Businesses that have regarded non-compliance with data protection as low risk, may need to re-evaluate in the light of substantial new fines and increased supervisory authority powers.
  3. Consent for processing will be harder to obtain – Relying on implied consent will be harder, as more affirmative action will be required.  Businesses should review existing practices to ensure that consent indicates affirmative agreement from the data subject.  Acquiescence to a ticked box will no longer be sufficient and businesses will have to demonstrate that consent has been properly obtained.
  4. Privacy by design - Businesses are required to implement technical and organisational measures to ensure that the requirements of the GDPR are met by:
     a) Taking data protection requirements into account at the inception of new technology, products or services that involve processing personal data, and keeping those measures up-to-date.
    b) Conducting data protection impact assessments where appropriate.
  5. Risk based compliance – Businesses must assess the degree of risk their processing activities pose to data subjects; GDPR provisions, such as privacy by design, accountability and data security, address this.
  6. Auditability – Businesses must have clear records of all of their data processing activities, and, if requested, provide those records to their statutory authority.
  7. Enhanced data subject rights – The GDPR increases data subjects’ rights, giving them the right to have personal data erased in certain circumstances, to object to profiling and to enjoy data portability.  A new right allows them to obtain a copy of their personal data from the data controller and to transmit those data to another controller (for example, an online service provider).  In addition, data access requests must be handled promptly.   

The GDPR’s provisions will affect organisations differently depending on the nature of their business.  At Birkett Long, we would encourage IT, data and marketing managers to find out what impact the new regulations will have on how they collect and use data so that they avoid any nasty surprises.

Our business team can help you understand the GDPR and its effect on your business.  For more information about the new regulations contact Tracey Dickens on 01206 217326 or tracey.dickens@birkettlong.co.uk.  

The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.