There is much discussion and hype surrounding the General Data Protection Regulation set to come into force next May, so we thought we’d break this topic down into some of the key things that you should know about GDPR.
GDPR is widely regarded as the biggest change to the data protection regime in the UK for nearly 20 years. It comes into effect on 25 May 2018, meaning that businesses now have less than eight months to understand and assess the impact of the new regime on their business practices.
GDPR affects how you process (for example, collect, store, use and dispose of) personal data. Personal data is any information relating to a person or which might be traced back to a particular person. Name, address, email address, phone number, age, ethnicity, medical and financial details are all examples of personal data.
GDPR will impose more stringent requirements in a number of areas with a view to giving individuals more control over their personal data and failure to comply with GDPR could lead to significant fines.
So here are some of the key differences between GDPR and the current Data Protection Act 1998 that you need to be aware of:
- Expanded territorial scope – Any person or company, whether they are inside or outside the EU, will be subject to GDPR if they offer goods or services to people in the EU (even where no payment is received) or if they monitor people’s behaviour within the EU.
- Increased enforcement powers – GDPR will significantly increase the maximum fines for non-compliance up to €20 million or four per cent of global turnover (whichever is higher).
- Consent, as a legal basis for processing will be harder to establish – if you wish to process data under GDPR, you must have the consent of the person whose data you hold. This must be freely given and unambiguous for a specific purpose via a clear, affirmative action. Businesses must be able to demonstrate that the data subject gave this consent and will need to be able to prove that consent was validly obtained. The data collected must only be used for the specified purpose and only stored for as long as is necessary to carry out that stated purpose. Clear details must also be provided about how people can opt out or request their data is erased.
- New obligations for data processors – GDPR introduces direct compliance obligations for processors (those who process personal data on behalf of another person who controls the data) meaning that processors may be liable to pay non-compliance fines.
- The ‘accountability’ principle – GDPR requires businesses to demonstrate that they are complying with the GDPR principles by, for example, implementing appropriate, technical and organisational measures (such as internal data protection policies), maintaining relevant documentation on processing activities and appointing a data protection officer (where required). Compliance is showing ongoing awareness and accountability as opposed to a one-off box ticking exercise!