The countdown is on until the General Data Protection Regulations (GDPR) apply from May 25 2018. Although it’s still a few months away, it does contain some onerous obligations, many of which will take some time to prepare for, so action needs to be taken immediately. B P Collins’ corporate and commercial practice can help.
We can advise what will change; what action your business needs to take and help shape company policy moving forward. All information will be tailored to your business. The penalties for breaching the new data protection laws
could cripple a company with fines of up to 4% of annual turnover or 20 million euros – so it may be prudent to book a meeting with B P Collins now to reduce the scope of your business falling foul of the rules in the future.
Alex Zachary, partner and practice group leader of B P Collins’ corporate and commercial practice, highlights the most significant changes and what businesses should be doing now to prepare
Consent will be harder to obtain – a business needs to be able to show that it has a legal basis for processing personal data. If your business relies on consent as a legal basis for processing, you will need to ensure that any consent it obtains shows affirmative agreement from the person who gave it and that they clearly understood what they were consenting to. For example, they will need to actively tick a blank box giving their consent, rather than merely not unticking a pre-ticked box, which will no longer suffice under the new rules. If you process their data for a number of different purposes you will also need to be able to show that the person has clearly consented to each use.
Has your business considered how it will demonstrate that consent has been given sufficiently for all your processing purposes?
GDPR will expand its geographical scope – even after Brexit and if new UK national data protection laws are introduced, if you supply goods and services to people in the EU you have to abide by GDPR rules.
Has your business got a compliance plan in place?
Data access requests from individuals – businesses must reply within one month and provide even more information and in a more “portable format” compared to what was needed under the soon-to-be replaced Data Protection Directive. Individuals will also have the right to request that businesses delete their personal data in certain circumstances.
Have you thought about how your business will respond within the new timescale and how to provide the additional information required in the right format and comply with a request to be “forgotten”?
Strict new data breach notification rules – The GDPR requires business to notify the National Data Protection Agency of all data breaches within three days, unless the breach is unlikely to result in a risk to individuals.
Has your business prepared and rolled-out a data response plan enabling you to react immediately when there has been a breach?
Risk-based approach and privacy by design – The GDPR adopts a risk-based approach to compliance, under which businesses bear responsibility for assessing the degree of risk that their processing activities pose to individuals. Businesses are also required to conduct a mandatory data protection impact assessment before carrying any processing that uses new technologies and that is likely to result in a high risk to data subjects.
Have you made senior decision makers in the business aware of the rules, audited the data you hold and what you use it for, reviewed your legal basis for processing and any technology changes and assessed the likely risks?
There are many more changes to come which could impact your business. For accessible, comprehensive advice or to discuss a comprehensive data protection meeting tailored to your business, contact Alex Zachary.
Under data protection law, you have his permission.