The General Data Protection Regulation (GDPR) will come into force in the UK in just under a year’s time – on 25 May 2018. It will be the biggest reform of data protection laws for 20 years and brings with it a raft of changes and new obligations which will impact on all businesses and organisations.
The GDPR will come into force notwithstanding the UK’s planned exit from the EU (and in all likelihood will continue to be in place immediately post Brexit) and therefore, if your business has not yet taken steps to get itself ready for the GDPR, now is the time to start. One feature of the GDPR is that there are no transitional provisions from the old law and therefore the new regime will be in full effect on day one i.e. on 25 May 2018.
The changes that the GDPR will introduce include:
- the need for businesses to be able to demonstrate that they are complying with the new regime and that their processing of personal data is lawful;
- enhanced rights for data subjects;
- a new regime for data processors;
- a requirement to build in an assessment of privacy issues into any product or process development;
- a requirement to notify data protection breaches to the ICO; and
- greatly increased fines for data protection breaches.
We would strongly suggest that all businesses and organisations review their preparations for the GDPR and step them up if necessary. The Information Commissioner’s Office (ICO) has published guidance on the kind of things that all businesses should be doing to prepare. Our suggestion is that all businesses need to be thinking about and taking at least the following steps at this stage;
- Research and education – find out more about the GDPR and how it is likely to affect your business and disseminate this information to key people within the business. Organise training sessions as necessary.
- Data Protection Officer – decide whether or not you will have to appoint a Data Protection Officer (or whether you will appoint one voluntarily) and put the necessary steps in place to recruit the appropriate person, if required. Remember that there will be a huge number of businesses looking for Data Protection Officers in advance of the implementation of the GDPR.
- Data audit – look at your business as a whole and carry out a careful audit of the personal data that you hold, how you came about it, what you do with it and on what basis. If you are relying on consent as the basis for processing any data then you need to review this carefully as the GDPR makes relying on consent much more difficult than under the previous legislation.
- Security review – look carefully at your ICT and data management systems and decide what steps need to be taken to change or upgrade those systems. Leave enough time to test and implement any necessary changes and upgrades ahead of 25 May 2018.
- Review your privacy notices and policies – the GDPR sets out a list of mandatory information which you must give to all of the data subjects on which you hold data and this would need to be reflected in your practices.
- Supplier contracts – your organisation is likely to use suppliers to process information on your behalf. Your contracts with these people/organisations will need to be reviewed and will need to be brought in to line with the GDPR which sets out a number of things that must be present in these contracts.
- Data breaches – the GDPR brings with it obligations to report breaches to both the ICO and to the affected data subjects – you will need to have procedures in place to comply with that.
There are also likely to be a number of other considerations for your business many of which will depend on the nature of your business – for example, if you process the personal data of children or if your organisation is international in nature, there are other changes that apply specifically to your organisation.
The important thing is to document all of the steps you take. The GDPR places a great emphasis on accountability and compliance. It is important not only to comply but to show that you are complying.
Finally, don’t panic – there is still nearly a year to go but time is ticking. The GDPR is not going to go away and you need to be ready for it.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.