The countdown has begun to one of the biggest changes in data protection, but how much do you know about GDPR? In a series of articles throughout February we will explain the essential information you need to know and what you need to be doing now.
It stands for General Data Protection Regulation and it’s an EU legal framework which will apply to UK businesses from 25 May 2018. It’s a new set of legal requirements regarding data protection which adds new levels of accountability for companies, new requirements for documenting decisions and a new range of penalties if you don’t comply.
It’s designed to enable individuals to have better control of their own personal data.
While the law was ratified in 2016, countries have had a two-year implementation period which means businesses must be compliant by 2018.
The changes to data protection will be substantial as will be the penalties for failure to comply. It introduces concepts such as the right to be forgotten and formalises data breach notifications.
GDPR will ensure a regularity across all EU countries which means that individuals can expect to be treated the same in every country across Europe.
For processing personal data to be legal under GDPR businesses need to show that there is a legal basis as to why they require personal data and they need to document this reasoning.
GDPR states that personal data is any information that can be used to identify an individual. This means that, for the first time, it includes information such as genetic, mental, cultural, economic or social information.
To ensure valid consent is being given, businesses need to ensure simple language is used when asking for consent to collect personal data. Individuals must also have a clear understanding as to how the data will be used.
Furthermore, it is mandatory under the GDPR for businesses to employ a Data Protection Officer. This applies to public authorities and other companies where their core activities require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”.
Data Protection Officers will also be required to complete Privacy Impact Assessment and give notification of a data breach within 72 hours.
At this stage it is unknown how the UK exiting the European Union will affect GDPR. However, with Article 50 yet to be triggered – the exit from the European Union is still over two years away and as such the UK will still be part of the EU in 2018. This means that businesses must comply with GDPR when it comes into force.
Penalties for failing to meet the requirements of GDPR could lead to fines of up to €20 million or 4% of the global annual turnover of the company for the previous year, whichever is higher. This high level of financial penalty could mean could have a serious impact on the future of a business.
Over the coming month, we will continue this series looking at how to get started preparing for GDPR now, why you need a Data Protection Officer and how GDPR will affect your international business.