Newsletter Autumn

New data protection rules

There are new data protection rules in the pipeline, and they’re likely to get a lot more publicity in the months to come. The new initials to look out for are GDPR.

GDPR - General Data Protection Regulation – is set to kick in from 25 May 2018. It increases the obligations on all businesses to safeguard the personal information of individuals which is stored by the business – be they customers, suppliers or employees. Broadly speaking, if you are already subject to the Data Protection Act, you’re likely to have to comply with the GDPR.

GDPR will apply to data ‘controllers’ and ‘processors.’ Processing is about the more technical end of operations, like storing, retrieving and erasing data, whilst controlling data involves its manipulation in terms of interpretation, or decision making based on the data. The data processor processes personal data on behalf of a data controller. Obligations for processors are a new requirement under the GDPR.

New features

The GDPR applies to personal data – but the new definition is wider than under the Data Protection Act (DPA).

One key new feature is having to show how you comply with the rules. Evidencing compliance is known as the ‘accountability’ principle. Things like staff training and reviewing your HR policies are examples of compliance – and you’ll need evidence to prove you’ve done it.

Under GDPR, higher standards are set for consent. Consent means offering people genuine choice and control over how you use their data.

Under 250 employees?

The legislation acknowledges that micro, small and medium enterprises have particular needs, and for record-keeping, the GDPR distinguishes between what is expected of organisations with more than 250 employees, and those below this size. There is a little more lee-way at the smaller end of the scale and additional requirements for organisations with 250+ employees.

250+ employee organisations have to keep internal records of processing activities, whilst smaller organisations don’t. Smaller organisations however, do have to keep records of activities concerning higher risk processing. Higher risk processing is a category including processing of special categories of data or criminal convictions or offences, or personal data potentially impacting the rights and freedoms of an individual.

Showing compliance and consent

Overall, the aims of GDPR are to create a minimal data security risk environment, and to protect personal data to rigorous standards. For most organisations, this will entail time and energy getting up to speed with compliance procedures. Reviewing consent mechanisms already in place is likely to be a key priority. In practice, this means things like ensuring active opt-in, rather than offering pre-ticked opt-in boxes, which become invalid under the new rules.

Organisations will also have to think about existing DPA consents. The ICO’s advice is that ‘you will need to be confident that your consent requests already meet the GDPR standard and that consents are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily.’ If consents already in place don’t meet the new standards, action will be needed.

Getting it wrong

As well as adverse reputational impact, the cost of getting it wrong could be high. Infringing the basic principles for processing personal data, including the conditions for consent, could mount to 20 million euros or 4% of total worldwide annual turnover (if higher).

This article highlights just some of the main features of the new rules. The Information Commissioner’s Office (ICO) has published some very useful information and planning points to help organisations get ready ahead of the May 2018 deadline which are well worth reading and