New law: Organisations gearing up as major new data protection law looms in 2018
Organisations should be identifying and preparing to implement necessary changes now, ahead of the new General Data Protection Regulation (GDPR) which is due to come into force in May 2018.
The GDPR is an EU Regulation that strengthens and unifies data protection for individuals within the EU, and regulates the export of personal data outside the EU. Its aim is to give citizens control over their personal data and simplify the regulatory environment for international business. It will replace the UK's existing data protection laws. As it is an EU Regulation the GDPR has direct effect - there is no need for enabling UK law.
The proposed introduction date is 25 May 2018, meaning the GDPR will come into force while the UK is still a member of the EU.
Much of the new law will be the same as existing UK data protection law, but there are differences. Many organisations are treating the changes as an opportunity to make their data more accurate, up-to-date and relevant rather than simply as a nuisance cost.
The changes include the following:
The definition of 'personal data' will be wider, and will include, for example, identification numbers, location data and online identifiers such as IP addresses and cookies.
The criteria for obtaining consent to use of data will be harder to satisfy. Consent will have to be freely given, specific to each use to which the data will be put, informed, unambiguous, distinguishable - and easy to withdraw.
Individuals' rights to ask for information about their personal data will be wider.
Data processors will, for the first time, be subject to regulation, as well as data controllers.
Some organisations will be legally required to appoint Data Protection Officers.
The rules about notifying breaches will be significantly updated.
Maximum fines will increase very significantly.
Businesses should start to think about necessary changes now, and take preparatory steps to close the gap between what they currently do and what they will be required to do under the GDPR. These include reviewing:
The personal data your organisation processes, why you are processing it, where it is kept, where it is processed (for example, if it is transferred outside the EU), who is authorised to access it, and if it is shared with any third parties.
Related processes such as training, record keeping and monitoring.
Whether to delete any personal data you should no longer be holding.
Policies, codes of conduct and procedures to make sure they comply with the new rules. Ensure the new obligations on data processors are covered.
Agreements with suppliers (and any standard precedents you use).
Information notices (the GDPR requires organisations to provide information about their personal data to individuals).
How you monitor and review the new systems to ensure compliance, and how you maintain the necessary paper trail of assessments, decisions and actions to show compliance.
How you investigate and remedy problems, including how you handle data breach notifications (which may spike as the changes are introduced).
Insurance - does your organisation need data protection cover?
Whether you need to appoint a Data Protection Officer under the GDPR.
These steps will help highlight areas of highest risk so that a project team, action plan and data register can be set up, a budget established, and priority work started.
Importantly, businesses need to consider any changes to their IT systems that may be necessary to enable them to comply with the GDPR.
Organisations should be identifying and preparing to implement necessary changes now, ahead of the new General Data Protection Regulations, due to come into force in May 2018
Authorised and Regulated by The Solicitors Regulation Authority. Authority number 591294.
For details of the professional rules governing the conduct of solicitors go to www.sra.org.uk/code-of-conduct.page