GDPR - Are you ready?
There’s been a lot of conjecture about the General Data Protection Regulation (GDPR), due to be implemented on 28 May 2018, particularly around whether it’ll be appropriate to UK firms at all once the UK leaves the EU.
It’s important to remember that whatever happens after Brexit, firms will still need to be compliant with the new GDPR rules in the time between implementation and the UK leaving the EU. Even after leaving the EU, it’s likely that organisations will need to remain compliant with the new act – one of the key requirements is that data controllers and processers can only share data with organisations that work within a country that has equally as rigorous data protection laws. In short, even after leaving the EU, it is highly unlikely that the UK will substantively change the rules as they’re set out in the new GDPR.
The new rules follow a European Commission review of European data protection
legislation, which lead to the creation of the GDPR. This will replace the UK’s current data
protection legislation, the Data Protection Act 1998. Although we all know the current Data
Protection rules and are used to working within them, the new GDPR will change things
With the implementation date just over a year away, now is the time to be planning ahead
and making sure you’ll be compliant with the new rules.
The changes are fairly wide-ranging. The new rules will affect any firm that processes
personal data, and along with strengthening some current rules – on accountability, for
example – GDPR introduces new rights and obligations and tough sanctions for
organisations who fail to comply. As such, existing practices, policies and procedures will
need to be thoroughly examined and amended to ensure compliance with the new
Here’s a brief run-down of the major changes:
There’s a new requirement that data processors must inform data controllers of a breach. You should therefore review all your contracts to ensure the processor has an obligation to report any data breach to you. It’s also best practice to set up reporting for “near misses”, so that you can learn together to prevent actual data breaches. We’ll discuss this further in our upcoming seminar.
If a data controller shares inaccurate information with data processors, the data controller has a new obligation to pro-actively inform the data processor that the information was inaccurate. This could have wide-ranging consequences for our industry, both positive and negative, especially when you factor in credit reference agencies.
Privacy notices need to be updated in line with the new requirements; again, we’ll cover this in more detail in our upcoming seminar.
The rules around subject access requests are significantly changing; in most cases you will be unable to charge a fee (although there are some exceptions, you have 30 days to process the request and you must include certain pieces of information, such as your intended retention periods).
Interestingly, you need to have processes in place to identify and record the legitimate reason you have to process the data that you hold. This is a departure from current domestic legislation and will need to be worked into our policies and procedures. It must be considered how far you go with this obligation - You’ll at least need a clause covering customer data, perhaps one covering different classifications of customer data, and staff data. At the other extreme, perhaps you require a statement for each individual customer? Something to be considered.
There are new rules around gaining customer consent. For example, consent will be deemed improper should it be obtained from a pre-populated tick box. You need to consider how you will gain oversight of what your clients or partners are and have been doing to gain consent, as well as reviewing the data you already have on file to ascertain whether the consent is still valid. This decision must be recorded.
A new emphasis is placed on audit trails so the firm can show its actions around specific accounts and decisions.
An updated obligation to inform the ICO within 72 hours where a data breach has occurred which might cause detriment to the data subject. Records must be kept of reasons for the decisions made.
A data protection officer is required to be in place and carries specific responsibilities.
The GDPR requires you to implement a “privacy be design” policy whereby systems and processes are designed with data security and protection in mind from the outset; again, we will discuss this in more detail during our seminar.
It’s the right time to start considering the impact of these rules on your organisation.
There’s no better way than to join us for our seminar!
GDPR seminar - held in Leeds on 26 April 2017 at St Georges Centre, LS1 3DL.
£199pp lunch included. 9am to 3.30pm.
Contact us to register interest: