Six FAQs FAQs about the EU General Data Protection Regulation
1.) What is the EU GDPR and when will it be enforced?
The EU General Data Protection Regulation (GDPR) has established a single, pan-European law for data protection, replacing the old patchwork of national law. Ultimately, the EU GDPR will change how organisations can collect, use and transfer personal data.
The GDPR will come into force on 25 May 2018, so businesses have less than a year to prepare. With strict consent requirements backed up by huge fines (up to 4% of a company’s global turnover) and stronger enforcement, it’s vital for businesses to make necessary changes to the way that data is handled and protected.
2.) Why is the GDPR happening?
In recent years, there have been significant technological advances and changes to the ways in which individuals and businesses communicate and share personal data; they use the internet, mobiles, social media and e-commerce in completely new ways.
With this proliferation of data, the GDPR aims to give people more control over their data and standardise some of the ways that businesses communicate with people about how their data is being used. In effect, the GDPR intends to protect individuals from the potential harm caused by the unwanted use of their data.
3.) Who does the GDPR affect and will it still apply after Brexit?
The GDPR affects any business that collects data, particularly online, from customers located in the EU. In fact, the jurisdiction of the GDPR is based on the location of the customer, not the business. So if you are based outside the EU (for example, in the UK following Brexit) but offer goods or services to, or process and hold the personal data of, customers within it then the GDPR will still apply. The GDPR is the UK is here to stay.
The ICO released the following statement following the EU referendum:
“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
After Brexit, the UK will no doubt have similar, or equivalent, data protection standards as the EU.
4.) What constitutes personal data?
Personal data is any information related to a person or ‘data subject’, that can be used directly or indirectly to identify the person.
The examples below constitute as personal data, but the list is not exhaustive:
an email address
a NI number
a driving license
social media posts
a computer IP address
5.) What’s new in the GDPR and how can businesses prepare?
In a nutshell, the key changes relate to procedures within a business, individuals’ rights and accountability.
Below is our summary of the wonderful document by the ICO, ’Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now’. If you would like to read the document, you can download it from our GDPR page.
Awareness: This is a warning that your first step should be to get the managing partners and quality partners informed and on-board ASAP.
Information you hold: Now is the time to make an Information Asset Register. Download ADDS’ IAR tools.
Communicating privacy information: Revamp your current privacy notices and data protection policy, both for in-house and client communication.
Individual rights: Individuals have the right to be forgotten. Do you have a checklist / process for deleting data? Is there a record of data being deleted along with proof of deletion?
Subject access requests: How do you currently handle / how quickly does your firm respond to requests from an individual about the information you are storing about them? There are new timescales under the GDPR.
Legal basis for processing personal data: How are you processing personal data? Have you confirmed your legal basis for carrying this out? Is there a written policy?
Consent: How do you obtain / store consent from individuals to hold / use their data?
Children: You need to have a system that verifies individual’s ages, plus a consent checklist for those requiring guardian consent for data processing.
Data breach: What are your potential data breaches? Do you have a policy and checklist framework to deal with a data breach?
Data protection by design and privacy impact assessments: The ICO quotes here: ‘You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessment and work out how and when to implement them in your organisation.’
Data protection officer: The bottom line is that you need one to deal with all data protection enquiries and to manage data breaches – either its role assigned via your Risk department or use a freelance data protection officer.
International: ICO advises, ‘If you have international clients, you need to know which data protection supervisory authority you come under’ i.e. for the UK it is the ICO.
6.) What are the penalties for non-compliance?
The GDPR has strict penalties for non-compliance with the new regulations. It carries penalties of up to 4% company-wide annual turnover, rather than the pre-existing £500,000 cap for non-compliance.
Archive Document Data Storage (ADDS) provides records management and data protection solutions for businesses throughout London, Bristol, Bath, and Swindon. For more information, please contact us by phone or complete the form on this page.
Thank you for reading our blog. Within this blog, we have shared our personal thoughts and opinions about the subject. Always seek legal advice before taking any action.