The General Data Protection Regulation (GDPR) will replace the Data Protection Directive sometime around May 2018 and, given that the UK government has confirmed that Brexit will not exempt UK organisations from GDPR compliance, now is the time to start preparing for the changes ahead.
What does this mean for your business?
Becoming GDPR compliant is not something that can be achieved overnight. Businesses, while still maintaining compliance with the Data Protection Act (DPA) for now, should start taking steps to prepare for the GDPR if they have not done so already.
Many of the principles in the new regime are much the same as those in the DPA and if your business is complying properly with the DPA (as it should be) then you should be in a good starting position for transition to the GDPR. However, the fact remains that there are new elements, and some things will need to be done differently.
The Information Commissioners Office has issued guidance on preparing for the GDPR, including publishing ‘12 steps to take now’. At Beswicks we would recommend first focusing on the following three key steps:
Businesses should be conducting audits to establish what personal data they hold, why they are holding it, where it is located, how it is secured and how long it is to be retained.
Once the audit is complete the findings can be maintained on an ongoing basis, making the transition to the GDPR a lot easier to manage.
You should be reviewing your data protection policies, codes of conduct and information notices to ensure they will be compliant with the new regime. If these do not comply (or do not exist) they should be amended or created as soon as possible.
The law regarding what constitutes consent as a basis for lawful processing has changed significantly which could mean that some processing based on what now qualifies as consent will cease to be lawful so the review should also focus on this.
Procedures for responding to requests from individuals about data held about them should also be considered against the risk of an increase in such requests once the right to charge for dealing with these requests is restricted.
Existing supplier agreements and template contracts should be reviewed to ensure that the new data processing obligations are covered.
3. Understand how the changes in the law affect you
If necessary, and in the case of larger organisations, you should designate a Data Protection Officer (DPO) or someone to take responsibility for data protection compliance.
Other changes will affect particular types of organisations, for example, those dealing with children’s data and those engaged in profiling activities. Organisations which process data on behalf of others are now also caught under the legislation.
There are a number of other changes in the law to strengthen the rights of individuals and it is important for all organisations to be aware of these changes and how they will affect them.
Post-Brexit data protection landscape
One of the many changes under the new regime is that the GDPR will apply whenever EU residents’ personal data is processed in connection with the offer of goods or services or monitoring of behaviour within the EU, even if the organisation processing the data has no physical presence in the EU.
The UK has a clear goal of facilitatating free personal data flows following Brexit, particularly to facilaite free trade, and it is likely that it will implement the GDPR to secure a clear flow of data between the UK and the EU.
Even if the UK also opts to leave the European Economic Area, the UK will have to implement a regime which is ‘adequate’ and ‘equivalent’ to the GDPR. The most practical way for the UK to do this will be to use the GDPR as a template, leaving us with something that is likely to be very similar to the GDPR.
If you need advice on the changes implemented by the GDPR, whether in relation to employment matters or commercial contracts, please contact us on 01782 205000 or email firstname.lastname@example.org or email@example.com.