Are your prepared for the new data protection regime?

Do you wonder why you still keep hearing about the EU General Data Protection Regulation (GDPR) three months after the Brexit referendum? It is because it will still apply to you and there is a lot to be done before it comes into force.

1. Will GDPR apply to my business?

Although there is no certainty as to whether GDPR will be part of English law after Brexit, it will definitely be relevant to all UK organisations from 25 May 2018 until the UK formally leaves the EU. Once the great divorce finalises, GDPR will continue to apply to UK organisations offering goods or services to, or monitoring the behaviour of, EU citizens.

Moreover, since the Information Commissioner’s Office (ICO) announced that it would advise the government that a reform of the UK data protection law remains necessary, it is safe to predict that any post-Brexit domestic regime will closely reflect the one set out in the GDPR. Therefore, no preparations made now will go to waste.

2. Main changes

In a nutshell, GDPR is all about data controllers and processors being more transparent and accountable for handling personal data, and about giving data subjects greater control over what happens with their information.

A business will need to ensure that that the purposes for which it processes personal data fall under the categories permitted in the GDPR and notify those purposes to data subjects (e.g. processing that is necessary for the performance of a contract with the data subject, or for compliance with a legal obligation).  Once data is no longer needed for the stated purpose, the processing will have to cease unless the business obtains further consent.

Consent will need to be specific to the purpose and indicated by a positive action (e.g. a click-acceptance of online terms rather than pre-ticked boxes or browse-wrap types of notices).

‘The right to be forgotten’ (i.e. to request the deletion or removal of personal data where there is no compelling reason for its continued processing) will now be statutory, and there will be a new right to ‘data portability’ (i.e. easy transfer of personal information from one service provider to another).

Not only will organisations have to adhere to the new law, but they will also have to be able to demonstrate their compliance (e.g. by providing an audit trail of how and when consent to a specific type of processing was obtained).

Certain types of data breaches will have to be reported to the relevant supervisory authority (e.g. ICO for breaches in respect of data of individuals residing in England).  Fines for the most serious breaches under the new regime could be as high as 4% of global annual turnover.

3. What should I be doing now?

You should be undertaking a thorough audit of what personal data your business collects (including information not currently classed as personal data, such as an IP address), where it came from, the purposes for which you process it, where you store it, who you share it with and what organisational and technical information security measures you have in place.

Unless your company is small and deals with business clients only, that gap analysis is likely to be the lengthiest stage of your GDPR preparation. The larger and more complex your organisation is, the more IT systems you use, the more sites and employees with access to personal data you have, the more varied your customer groups and business activities are, the more personal data you share with third parties and the more international markets you operate in, the more complicated and time consuming that project will be. Therefore, if you have not already started, there is no time to waste!

4. What’s next?

Once you have identified the gaps, you will need to plan how to close them. This may require introducing changes to your existing IT systems and internal procedures to ensure they support the new requirements (e.g. data blocking, erasure, rectification and portability). You may need to amend or put in place information sharing agreements with third parties (e.g. sub-contractors or partners). You will need to update your privacy notices and train your employees. You might also need to appoint a Data Protection Officer (e.g. if you process special categories of data).

If you would like to discuss any issues in relation to data protection or wider commercial law matters, please contact Antony Hall, Partner and Head of Commercial at Mincoffs Solicitors on 0191 281 6151 or email ahall@mincoffs.co.uk.