News - Published

GDPR – why data is more important than ever

On 25 May 2018 – the General Data Protection Regulation (GDPR) will replace the current Data Protection Act 1998 (DPA). Described by ICO Information Commissioner, Elizabeth Denham as “the biggest change to data protection law in a generation”. The principles of GDPR are very similar to those of the current DPA, however there are new elements and significant enhancements, so businesses of all sizes will need to take steps to ensure they comply with the regulation.
It is essential to consider your approach now to ensure sufficient time to put in place any new procedures to deal with GDPR especially if this involves budgetary, IT, personnel or communication implications. The Information Commissioners Office (ICO) is the regulator in the UK responsible for ensuring compliance with these regulations. The ICO has produced various guidance and tools to assist you, it is recommended you review this documentation to evaluate the impact of GDPR on your organisation.
ICO – overview of the General Data Protection Regulation (GDPR)
The regulations are detailed and will require much analysis for any affected organisation but we have picked out some key information below to help with any initial review.
Personal data is any information which can be linked through to an identifiable person. Personal data is defined largely in the same terms as under the existing DPA, the main changes are to add specifics such IP address, genetic and location data.
The GDPR widens the scope of the existing DPA to cover data on all EU subjects, irrespective of where the data processing actually takes place.
The key principles of GDPR are that personal data should be:
• Processed lawfully, fairly and in a transparent manner.
• Collected for specified, explicit and legitimate purposes.
• Adequate, relevant and limited to what is necessary.
• Accurate, and where applicable, up to date.
• Kept in a form which permits identification of individuals for no longer than is necessary.
• Processed in a manner that ensures appropriate security.
The key new principle is that of accountability – you must show how you comply with the above principles. You must enshrine privacy by design and have proportionate governance processes in place to ensure accountability at all levels of an organisation.
GDPR – data consent
The guidance around consent is now clearer. To have consent, you must have some form of clear positive action. Inaction, pre-ticked boxes or silence do not constitute consent. Consent must be verifiable and recorded and any individual must retain the right to withdraw consent at any time. If existing consents meet these requirements, it will not be necessary to re-obtain consent from existing individuals.
It is important to consider this knowing that the ICO has recently fined several high profile companies including Morrisons and Honda for failing to follow data protection rules. All of these fines were imposed on the basis of not meeting existing DPA requirements.
There is a significant increase in fines that can be imposed under GDPR for non-compliance. For some breaches including failing to obtain valid consent, fines can be up to 4% of annual worldwide turnover or 200 million Euros (whichever is greater). Other breaches can results in a find of 10 million Euros or 2% of annual worldwide turnover. The significance of these potential fines should incentivise businesses of all sizes to ensure they comply with the GDPR by the 25 May 2018 deadline.
The GDPR goes beyond the DPA to give explicit rights to all individuals of the following:
• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Rights in relation to profiling / automated decision making
It is important to note the GDPR states that children aged under 13 cannot give consent, those aged 16 or older can freely give consent, and there is some national flexibility for those in-between. The ICO is expected to confirm that parental consent will be required for all under 16 years old.
The GDPR introduces a duty to report personal data breaches to the ICO. A breach can refer to the destruction, loss, alteration, unauthorised disclosure or access to personal data. Where such a breach is likely to have an effect on the rights and freedoms of an individual it must be reported to the regulator, you also have to notify those individuals concerned directly if the risk is high. Breaches must be notified within 72 hours of an organisation becoming aware, failure to notify in itself can result in a fine of 10m Euros or 2% turnover, whichever the greater. This reporting window is relatively short, you must therefore ensure you have robust procedures around the internal reporting of potential breaches.
The ICO has put together GDPR – 12 steps to take now which providers a checklist for businesses to ensure they are prepared for the 25 May 2018 deadline.
1. Awareness – be aware that the law is changing to GDPR and appreciate the impact
2. Information you hold – document what personal data you hold, where it came from and who you share it with
3. Communicating privacy information – review current privacy notices and plan any necessary changes
4. Individual rights – check procedures to ensure they cover all the rights individuals have
5. Subject access requests – update procedures and plan how you will handle requests
6. Lawful basis for processing personal data – identify and document your processing activity
7. Consent – review consent practices and refresh if they don’t meet GDPR standard
8. Children – consider whether you need to verify individuals’ ages and to obtain parental consent for any data processing
9. Data breaches – put in place procedures to detect, report and investigate a personal data breach
10. Data Protection by Design and Data Protection Impact Assessments – familiarise yourself with the ICO’s code of practice.
11. Data Protection Officers – designate someone responsible for data protection compliance
12. International – determine your lead data protection supervisory authority (ICO in the UK)

Back to Insights