Leading corporate law firm Endeavour Partnership explains more about the data protection shake-up…
What is GDPR?
The General Data Protection Regulation (GDPR) is a major shakeup in data protection laws across the EU.
It will officially come into force on May 25, and will automatically apply to the UK. GDPR’s reach is global and any company that processes data, be it customer or employee data, to anyone in the EU, will be required to comply.
Since the introduction of the Data Protection Act 1998, there’s been a revolution in data and how it shapes our everyday lives. Whilst in 1998 much of our personal information was stored in filing cabinets under lock and key, smart phones, tablets and other handheld devices have drastically changed the way we process personal data which includes names, addresses and an individuals’ basic details and sensitive data, like information about racial origins and sexual orientation.
The core principles of the data protection regime remain broadly the same. However, there are a number of important changes and new obligations to be aware of. More importantly, the penalties for getting it wrong are much more severe. The maximum fine for a breach of the GDPR will be 4 per cent of turnover or 20 million euros, whichever is the higher. Sanctions also include audits, warnings and temporary and permanent bans, all issued by the Information Commissioners Office (ICO). There is also a new requirement to report serious or major breaches to the ICO and also the data subject.
If you are a business based outside the EU, but you send information to member states of the EU, you may be required to appoint a representative based in the EU who is responsible for data protection.
If you process data on a large scale, employ 250 staff or more, or are a public sector organisation, you will need to appoint a data protection officer, a position which has statutory protection in law, who will be responsible for overseeing your company’s compliance with the GDPR.
GDPR also strengthens the level of consent required to justify using personal data. For example a pre-ticked box or silence /inactivity will not be valid consent to for example, the Company sending our marketing material to a data subject. Consent must be freely given and specific with a genuine choice involved., which the Company is responsible for obtaining.
What does my business need to do?
The good news is that for most businesses and other organisations there is still (just) enough time to do something about the GDPR and make sure that you will be ‘GDPR ready’ before 25th May 2018.
However, there is not a moment to lose as it will take a typical SME up to three months to become ‘GDPR ready’.
If you have not already taken steps to make sure that you are GDPR compliant, you will need to immediately:
• appoint someone to take responsibility for GDPR compliance;
• appoint an external advisor such as Endeavour Partnership to support that person (unless he/she is GDPR competent);
• arrange for a data audit to be carried out to document your data practices;
• verify that your use of data will continue to be lawful by establishing a GDPR compliant basis for your data processing; and
• develop policies and procedures in order to ensure that you operate in a way that is GDPR compliant, and continue to do so post May 2018.
Endeavour Partnership has a specialist GDPR team, headed by Martin McKinnell. For further information about how Endeavour Partnership can help you to become GDPR ready, contact ([email protected]), Jessica Maine ([email protected]) or Laura Kirkpatrick ([email protected]).