GDPR – Coming, ready or not

    Businesses now rely on technology and the transfer of data online more than ever before, leading to an increased risk of data breaches occurring. This has led to an overhaul of data protection laws in Europe.

    Europe’s data protection laws will undergo their biggest change in two decades when the new General Data Protection Regulation (GDPR) comes into force on May 25. GDPR will replace the current UK Data Protection Act 1998, and will uniform data protection requirements across all EU member states.

    GDPR: Everything you wanted to know but never dared to ask

    Does this apply to me?

    GDPR will apply to all companies, however big or small, that market goods or services to EU residents, even if a company does not have an establishment in the EU. Companies may, therefore, find themselves subject to the new regime even if they do not have a business presence in the EU, for example, technology companies.

    What is personal data?

    The GDPR applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. GDPR broadens the definition of ‘personal data’ to location data and online identifiers, such as IP addresses and cookie data. ‘Sensitive data’ such as biometric and genetic data, which is becoming increasingly common for businesses to collect, will be subject to a higher standard under GDPR.

    Am I liable?

    Data processors (responsible for processing data on behalf of a data controller, who determines the purpose and means of processing personal data) will now be directly liable for some matters which were previously only the data controller’s responsibility. This is particularly significant as there will now be the possibility for individuals to enforce their rights directly against data processors.

    Am I accountable?

    Businesses will not just need to comply with GDPR, but will have to do so in a demonstrable manner. Policies and procedures must be documented, updated and impact assessments must be undertaken. Businesses will also need to consider privacy implications when designing new processes, products or services.

    What are the consent requirements?

    GDPR requires a higher level of consent, and businesses must obtain specific, informed and unambiguous consent, with a clear affirmative action, ie an unticked tick box, to process that individual’s data in certain circumstances. Consent must be easy to withdraw and explicit.

    What happens if I am in breach?

    GDPR will dramatically increase fines for non-compliance. Companies violating GDPR may be fined up to €10 million or 2% of their global annual turnover, whichever is greater for smaller offences. For more serious offences, this is increased to €20 million or 4% of a company’s global annual turnover, whichever is greater.

    Is GDPR just another ‘Millennium Bug’?

    Unlike with the Millennium Bug, GDPR is known, and we know what is coming. The new legislation will happen, and it will come into force on May 25.

    There is, however, more to be concerned about than just receiving a fine for non-compliance. Judicial remedies are also likely to be sought, where damages could amount to much more than any fine, for example, the potential loss of share values in non-compliant companies. Media could also have a field day ‘naming and shaming’ organisations who are found non-compliant.

    GDPR: Not just a project

    There is still a tendency within some businesses to think that GDPR is a one-off project. This is not the case. Identifying temporary resource and allocating one-off budgets to comply with GDPR will not make it ‘go away’.

    Getting ready for GDPR will mean implementing ongoing privacy governance, policies and processes, and continuously training staff on GDPR compliance. If a company’s process for collecting data changes, policies and procedures will need to be updated accordingly.

    For example, in commercial deals, data protection and privacy has gone from being a last minute, minor consideration, if a consideration at all, to a major hurdle to overcome in order to close a deal. In addition, the new and expanded rights under GDPR hugely increase the potential for data protection to be used as a weapon in the context of employment disputes.

    Owing to the breadth of GDPR, businesses are advised to conduct an audit and a comprehensive review of data they hold and their existing data protection procedures to allow sufficient time and resources to affect the necessary changes required to ensure GDPR compliance.

    Download our full GDPR and Data Protection guides at:

    herrington-carmichael.com

    Herrington-Carmichael