The General Data Protection Regulation (GDPR) will come into force in the UK on 25 May 2018 after four years of negotiations and unprecedented levels of lobbying by businesses. These new rules will cause significant disruption to how organisations store, manage and process personal data, with significant penalties for those who don’t comply. This will impact all businesses, especially those in the consumer sector where data has become such a large part of customer loyalty, marketing and delivery. So is your business GDPR ready?
The new legal framework is the biggest change to data privacy legislation in over 20 years. Digital advancements over this time have meant that consumer data is created, collected and stored within seconds. It is more important now, than ever, to have clear laws and safeguards in place given the growing digital economy and associated cyber security risk.
The GDPR aims to protect EU citizens’ personal data, regardless of borders or where the data is processed. The new rules are much broader than the 1995 Data Protection Act with a more expansive definition of personal identifiers, such as an IP address, which is now classified as personal data. Businesses based outside the EU will still need to be compliant if they have EU customers. As such the UK’s decision to leave the EU will not affect the need to comply with GDPR.
The penalties are significant, fines for non-compliance of up to €20m or 4 per cent of annual global turnover could be imposed.
Any company who processes consumers’ personal data will need to comply with the new obligations. That means understanding what changes will be required to existing processes under the new rules:
Under the new rules the requirements have been tightened significantly. Requesting consent from a consumer to process their personal data must be ‘unambiguous’.
Under the GDPR, data processors will have greater legal liability and are required to maintain records of personal data and processing activities. There are also further obligations on controllers to ensure that any third-party contractors also comply with the GDPR e.g. cloud hosting or outsourcing.
Organisational and technical measures to protect personal data are now the responsibility of the data controller and data processor – data protection and privacy requirements should be built into the development of your business processes and systems.
You will need internal processes that allow you to report and manage communications with affected consumers quickly and accurately.
You will need processes in place to comply and reassure that these rights have been adhered to (including notifying third-parties).
Where ‘large scale’ processing of data is evident a dedicated Data Protection Officer needs to be appointed.