Are you ready for The General Data Protection Regulation (GDPR). . . ? If not, please contact us
On 25 May 2018, GDPR will affect every organisation that processes personal data of persons resident within the European Union
The new Regulation is far more extensive in application and scope than the current Data Protection Act 1998 (DPA) which will be swept away on the introduction of GDPR.
Both HM Government and the Information Commissioner have confirmed that UK organisations processing personal data will still need to comply with GDPR, regardless of Brexit.
GDPR introduces a number of key changes that UK organisations need to be aware of, ten of which are set out below:
1. Definition of personal data
Unlike within the DPA, the GDPR definition is more detailed and brings in other factors which may be used to identify an individual within the defined term
GDPR imposes new rules on obtaining consent. Affirmative consent must be obtained in all cases. Parental consent is required in order for organisations to process personal data of children under the age of 16.
3. The Data Protection Officer (DPO)
For certain defined organisations, including all public bodies, and for certain defined processing activities, the appointment of a DPO is mandatory. It is a GDPR requirement that the DPO must have “expert knowledge of data protection law and practices”. The function of the DPA may, under GDPR, be outsourced.
4. Data Protection Impact Assessments (DPIAs) become a legal requirement.
Organisations must carry our DPIAs when using new technologies and where data processing is likely to result in a high risk to the rights and freedom of individuals.
5. Data breach notifications.
Data controllers will be required to report data breaches to the Information Commissioner unless it is unlikely to represent a risk to the rights and freedoms of those data subjects. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified. In certain circumstances the data subjects themselves must be notified.
6. The new ‘right to be forgotten’.
GDPR introduces for data subjects ‘the right to be forgotten’ and sets out guidance on when data subjects can exercise such rights.
7. New data processor responsibilities
Unlike DPA, data processors now have direct legal obligations and responsibilities and may be held liable for data breaches.
8. New rules on data portability
Data portability will allow a data subject to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.
9 The introduction of ‘privacy by design’.
The GDPR contains requirements for ‘privacy by design’. Organisations must therefore take into account privacy from product or service concept not just at delivery.
10. Tougher penalties for non-compliance
The Regulation provides for considerably tougher penalties than those provided for to the Information Commissioner under current legislation. A two-tier sanction regime is provided for under GDPR. Breaches of some provisions by organisations, which GDPR has deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater. For other more minor breaches, the fines on organisations of up to €10m or 2% of global annual turnover, whichever is greater may be imposed.
Organisations need to prepare for GDPR now.
For further advice please contact Phil Griffiths, a certified EU GDPR Practitioner.
029 2034 5511
Phil has a considerable experience in all aspects of Commercial Law, in particular advising on all Commercial Law aspects of capital projects, including PFI as well as the European procurement regime. He provides commercial advice to a range of businesses and advised on information governance, intellectual property, commercial terms, as well as those regulatory aspects of business in general and specifically for biotech business.
He has also provided specialist expertise to the BBC Wales programme X-Ray, and his most recent airing was in November 2016 where he was providing advice and guidance to those either involved or thinking of being involved in a franchise.
Phil advises both the private and public sector, including providing legal and strategic advice to the National Procurement Service of Wales, an agency of the Welsh Government that secures in the region of £1bn worth of goods and services in common and repetitive spend, representing 20% - 30% of the Welsh public sector spend.
Phil has for many years been a specialist in Information Governance and is an ISO 17024 certified EU GDPR Practitioner and provides significant guidance to SMEs and public bodies with regard to the impact of the forthcoming European regulation.