The General Data Protection Regulation (GDPR) (EU) 2016/679 came into effect on 25th May and many people were dreading it. However, it’s not something to be feared, but a piece of legislation designed clarify data protection laws and protect individuals now the current Data Protection Act of 1998 has become obsolete.
Fit for purpose
Because society and technology have changed so much in recent years and the amount of data we produce these days was not foreseen when the current laws were drawn up over twenty years ago; it’s time for an overhaul.
The legislation has taken over six years to produce and its aim is to harmonize data privacy laws throughout the UK and reshape the way businesses and organisations approach the serious subject of data privacy. Whilst GDPR applies across the EU, there has been some flexibility for countries to change small parts of the rules to fit their own preferences. The Government has been through a consultation process to which many organisations have contributed. The fact that the UK is leaving the EU next year will have no bearing - we’d signed up to it long before the BREXIT referendum.
Don’t be scared
Many of the GDPR’s main principles are similar to those in the current Data Protection Act (DPA), so if you are already complying correctly with the current law, most of steps you take will remain valid and can be viewed as starting points on which to build. That being said, there are several new elements and improvements in new bill so the changes need to be understood and embraced.
The new law includes tougher rules on consent, rights to access, rights to move and rights to delete data. Enforcement will be enhanced, and the regulatory body given the powers to ensure consumers are appropriately safeguarded. The regulatory body in the UK is the Information Commissioner’s Office (ICO); an independent authority set up to uphold information rights in the public interest. Its remit is to provide organisations with practical guidance on compliance and from the end of May, it will be able to conduct criminal investigations and issue fines against those who fail to comply.
Big business
All businesses that process personal data have to comply with the GDPR, regardless of size. Bigger organisations (over 250 employees) will have to maintain records of this processing. Companies that hold data on a large scale or process a lot of sensitive personal information will be required employ a specialist data protection officer (DPO).
Data Breaches
Data security is at the heart of the new legislation so the rules for breaches in security have been made more robust. The ICO has to be informed of a breach within 72 hours of it being discovered and the people it impacts must also be told.
Consent
Mailing lists are to come under scrutiny. The conditions for consent have been strengthened and an assumed “automatic opt-in” is no longer acceptable. From now on consent has to be a “positive opt-in” and the request for consent must be given in an intelligible and easily accessible form – and the purpose for data processing attached to that consent.
Transparency
The new law brings in changes to Subject Access Requests (SARs). Previously, businesses and public bodies were able to make a charge of £10 to release copies of information they held on an individual, but now such requests will be free. Furthermore, they must be produced within a month of the request being made.
Time to prepare
Although it can seem a bit overwhelming, there’s lots of excellent information out there to help you get to grips with it all.
The legislation can be read in full here and the ICO has put together a 12 step checklist called Preparing for the General Data Protection as well as an interactive self assessment tool kit, designed to help small to medium sized organisations become compliant. A number of areas including direct marketing, information security, records management, data sharing and CCTV are covered by the tool kit and once completed, a short report is created suggesting practical actions to take.
GDPR & PECR
The GDPR sits alongside the Privacy & Electronic Communications Regulations (PECR), which detail specific privacy rights in relation to electronic communications, such as marketing emails, cookies and texts. Both regulations need to be adhered to. More information about PECR can be found, here.
Good information handling is good for business
The information and rights of individuals is clearly key and the new law on the horizon need not be as daunting as it seems, cleaning up data storage and sharing will surely benefit us all. As Helen Denham, head of the ICO says:
“Good information handling makes good business sense. You'll enhance your business's reputation, increase customer and employee confidence, and by making sure personal information is accurate, relevant and safe, save both time and money.”
We’ll be hosting a session on the GDPR at our National LCL Centre Forum on 4th July. If you are an existing or potential LCL centre and you haven’t yet booked your place, contact Jessica Lowe – jessica.lowe@logic-cert.com for more information.