Data Protection Reforms - Is Your Organisation Ready?
The current data protection law is embodied in the Data Protection Act 1998 (DPA) and compliance is overseen by a regulatory body, the Information Commissioner’s Office (ICO).
The ICO have warned that “the biggest change to data protection law for a generation” is imminent.
The change is due to The General Data Protection Regulation (GDPR) – an EU Regulation. Despite Brexit, the GDPR will be implemented into our domestic law.
The Government has confirmed that GDPR will be effective from 25 May 2018 – leaving businesses and organisations with just over 3 months to prepare.
What is data?
It is a useful exercise to consider what we mean by ‘data’ and as such, what the GDPR will apply to.
Article 4 of the GDPR states that ‘personal data’ “means any information relating to an identified or identifiable natural person” which could be used to identify that person.
The definition is particularly wide in nature and encompasses any data which has the potential to identify a living person.
In addition, there is ‘sensitive personal data’ which includes, but is not limited to, biometric, genetic, religious, political, sexual orientation and trade union membership data. These categories of data are subject to enhanced protections under GDPR.
What is going to change?
Your organisation should already have robust policies and procedures in place to ensure compliance under the DPA. However, some of the key changes under the GDPR are as follows:-
- Consent – Organisations must have a lawful reason to process data. One of these reasons is obtaining consent. The consent will need to be written in plain English, freely given, unambiguous and affirmative. The data subject has the right to revoke their consent at any time.
- Right to Access – the data subject has the right to request from the data controller what data (if any) is being processed about them, how and why. The data subject is entitled to a copy of all their data held by the data controller, which will now be free of charge.
- Right to be Forgotten – the data subject has the right to request that you erase all of their personal data when the data is no longer relevant to the purpose it was obtained for or when the data subject withdraws their request.
- Breaches and Self Reporting - In the case of a serious personal data breach, the organisation shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the ICO.
- Penalties – If an organisation is in breach of GDPR, fines of up to 4% of global turnover or up to €20 million, whichever is greater, can be imposed by the ICO.
The above is just a brief overview of some of the key changes. Their impact and effect on organisations will vary.
An Act of Parliament will come into force to incorporate the GDPR in to UK legislation and you need to be ready before 25 May 2018.
The European Commission intend to launch an intensive advertising campaign to ensure the public are aware of their new rights.
The GDPR represents a fundamental shift in our domestic privacy laws in the digital age - if you think your organisation is not compliant with the current DPA or will not be compliant under GDPR – you need to act now!
A good starting place is the ICO website – www.ico.org.uk.
How can Chattertons help?
We recognise that every business and organisation is different and unique – each will process different data in diverse ways and have varying levels of current compliance.
Solicitors and specialists who can advise in relation to all data protection and GDPR matters.
- Conducting full GDPR Audits in your organisation to identify your compliance needs
- Assisting you in data mapping your organisation
- Drafting appropriate policies, procedures and privacy notices to help you achieve compliance
- Reviewing your existing commercial contracts with suppliers, customers and contractors
- Staff workshops, training and awareness materials
- Data breach management and ICO liaison
- Business defence to organisations subject to ICO investigation and prosecution
If you would like any further details in relation to data protection and GDPR compliance or if you would like to discuss your specific needs and requirements with a member of our specialist Data Protection Team, please contact your most convenient office or complete our online enquiry form on the left hand side of this page or, if you would prefer, contact a team member directly.