On 14 September 2017, the Government published its Data Protection Bill. This bill will take account of the EU’s General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018 and reaffirms that GDPR will apply post-Brexit. GDPR has been widely touted as the biggest overhaul of data protection legislation for 20 years.
Does it apply to me?
Whether you are a sole proprietor, company or partnership; data controller or data processor; a business or an employer; dealing with third party suppliers and contractors, if you handle personal data, you should already be thinking about and preparing for GDPR. Understandably, the prospect of fines up to €20 million or 4% of global turnover, for the most serious data breaches, sounds very daunting.
What do I need to do?
You can find out how GDPR will affect your business from the Information Commissioner’s Office (ICO) website, which provides:
• an overview of GDPR with a helpful 12-step checklist and other guidance;
• details of webinars and workshops (often free to attend); and
• the ICO newsletter and blog which provide regular updates.
It is not a matter of one size fits all. Checking regularly against the definitions and exemptions in the legislation, and keeping up-to-date with the latest guidance may mean you can confirm or discount some actions immediately.
You will need to be able to demonstrate that you are meeting the GDPR principles, which can be summarised as:
Having raised awareness of GDPR with key decision makers, you will need to consider and document, for example:
• what kinds of personal data you collect and use;
• how and when you obtain and use this data;
• where the data is held (whether in paper or electronic form);
• who has access to the data and who you share it with outside your organisation; and
• how long you should keep the data for.
You may already have some of this information as part of your compliance with existing data protection legislation.
Carrying out this assessment will also help you judge whether you can:
• demonstrate the relevant lawful basis for processing personal data;
• meet the rights of individuals under GDPR;
• check whether you have GDPR-compliant consent where you need it;
• put the right procedures in place around data breach identification, reporting and investigation;
• confirm that the contracts you have with others (not just IT providers) take GDPR compliance into account. (GDPR requires that personal data is kept secure to protect it from ‘unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’).
One approach is to consider what you would need to provide the ICO if they visited your business. See Appendix 1 in the ICO’s ‘Guide to Data Protection Audits’.
What other regulation should I bear in mind?
You will need to refer to the Data Protection Bill as well. The Government has described this bill as ‘a complete data protection system, so as well as governing general data covered by GDPR, it covers all other general data, law enforcement data and national security data. Furthermore, the Bill exercises a number of agreed modifications to the GDPR to make it work for the benefit of the UK in areas such as academic research, financial services and child protection.’
If you send direct marketing, consider the ‘Privacy & Electronic Communications Regulations’ (PECR), which sits alongside the DPA and is under review. The UK Government has signed up to the new e-Privacy Regulation too.