The General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and will replace the existing UK Data Protection Act 1998 (DPA 1998). The GDPR is intended to strengthen and harmonise data protection laws across the EU. Despite ‘impending’ Brexit, the GDPR will come into effect in the UK and is likely to remain in force (in a substantially similar form) after Brexit under the auspices of the UK Data Protection Bill. It is therefore important for UK businesses to plan for the GDPR and begin implementing the necessary changes to business practices and procedures as early as possible to ensure compliance once the GDPR becomes effective.
The GDPR will apply to most businesses. If you obtain and hold personal information relating to any living individual, including your existing and prospective customers and employees, then the GDPR will apply to your business. One of the key changes brought about by the GDPR is that it imposes direct obligations to data processors as well as data controllers, whereas the DPA 1998 only applied to data controllers. This means that businesses that process personal data on behalf of others, e.g. HR and payroll providers and marketing agencies, must comply with the GDPR.
The GDPR definition of ‘personal data’ is wider than under the DPA 1998 and includes any information which either directly identifies an individual or which can be used to identify an individual. Such information includes traditional identifiers (such as names, dates of birth, and addresses) as well as online identifiers (such as IP addresses, device IDs and cookies).
The broad definition of personal data means that practically any data collected from or about individuals can be considered as personal data unless it is properly anonymised. There are specific rules regarding ‘sensitive personal data’ and criminal convictions. Most businesses will hold at least some personal data, whether it relates to their clients, employees or the contacts. It is crucial that businesses carry out an assessment of what information they hold and what changes, if any, should be made to ensure compliance with the GDPR.
The Information Commissioner’s Office (ICO) website (https://ico.org.uk/) has plenty of useful information and checklists to help business owners prepare for the implementation date.
The GDPR sets out different obligations on data controllers and processors and requires data controllers to include specified data protection obligations in any processing contracts. The GDPR also imposes a new obligation of ‘accountability’ which requires businesses to be able to demonstrate compliance with the GDPR. It is therefore not sufficient for businesses to simply ensure they comply with the data protection requirements; they must be able to show that they have relevant data protection policies and procedures in place, for example:
In the event of a security breach which results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, there are new obligations to make a notification.
Where the breach is likely to result in a risk to the rights and freedoms of individuals, the GDPR requires notification of the breach to the ICO. If the breach is likely to result in a high risk to the rights and freedoms of individuals the GDPR requires you to notify the individuals affected.
The ICO has the power to award compensation to individuals and impose fines up to the equivalent of €20m or 4% of the worldwide turnover of the business who has breached the GDPR, although the ICO has indicated that fines will remain the last resort. The GDPR gives the ICO a suite of sanctions to help organisations comply, including warnings, reprimands and corrective orders. However, regardless of the sanctioning powers available to the ICO, a business that fails to comply with the GDPR puts itself at risk of reputational and professional damage.
The most important points to consider are:
For further information or advice on GDPR compliance please get in touch with our experienced Commercial team on 0117 9733 989 or by emailing firstname.lastname@example.org.
This article is provided for general information purposes only and represents our understanding of the relevant law and practice as at the date of uploading. This article should not be relied upon as legal advice pertaining to any specific factual situation. Legal decisions should be made only after proper consultation with a legal professional of your choosing.Back to Index