What is the General Data Protection Regulation (GDPR)?
The GDPR is the new data protection regulation that becomes a legal obligation from 25 May 2018.
Every business will have its own specific challenges regarding implementation of changes to internal systems to ensure compliance with the GDPR.
Theory is fine, but business owners, particularly smaller concerns, will no doubt want clear advice – what needs to be done to comply with the spirit of the GDPR without adding to the existing plethora of “red-tape” compliance that threatens to drown us all in non-productive activity.
Much publicity has been given to the down-side risks of non-compliance: up to 20 million euros or 4% of annual turnover in fines for getting it wrong.
Nevertheless, from 25 May 2018, any business that collects or stores personal data, whether in a paper or electronic format, will need to comply with the GDPR strictures regarding the rights of the individual to have their privacy protected. New requirements, not in the present Data Protection Act 1998, include:
- Reporting data breaches.
- Cross-border considerations.
- New rights for clients and other contacts: the need to inform clients how you are using their personal data and their rights under the GDPR to request that personal data is deleted.
- Need to demonstrate that your business is mitigating against risks of misuse of clients’ personal data.
The GDPR is a published EU directive, and it is being introduced into UK law, but there are certain aspects where detailed guidance is still not available: for example, the regulations that set out best practice for the delivery of marketing information by email are set out at present in the Guide to Privacy and Electronic Regulations, which will be updated by new e-Privacy Regulation that is timed to come into effect May 2018. The ICO have not published a detailed description of the scope of this new regulation.
There is little doubt that it will be necessary to undertake a “data audit” to map and record what personal data is held, as well as how it is used, protected and detail the process for removal, should this be requested.
Unfortunately, these changes in the data protection rules need to be taken seriously. We will all need to accommodate compliance on or before the May 2018 deadline. Watch this space for more information on this topic as more details become available next year.