GDPR ready or not here it comes

24 May 2017

Love it or hate it, data protection will be a hot topic for businesses over the next 12 – 18 months, particularly with significant increases in fines for non-compliance looming on the horizon.

The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and will replace the Data Protection Act 1998 which currently regulates the use of an individual’s personal data.

Why all the fuss?

The significant increases in fines that can be imposed under the GDPR for non-compliance should be a huge incentive for businesses to ensure they are ready for the 25 May 2018 deadline. For some breaches (for example those involving international transfers of personal data or failing to meet the conditions for processing data, such as obtaining valid consent), a business could be looking at a fine of up to 4% of its annual worldwide turnover or EUR200 million. Other breaches could lead to a fine of up to 2% its of annual worldwide turnover or EUR10 million. As well as a fine, businesses could also feel the financial impact of reputational damage, especially if the breach is serious.

Main changes

According to the Information Commissioner’s Office (ICO), businesses that currently comply with the Data Protection Act 1998 will have a "strong starting point to build from". However, the GDPR will bring some significant changes including:

  • Consent – obtaining valid consent to justify processing personal data is going to be much harder and individuals will have the right to withdraw their consent at any time;
  • Sensitive personal data – which will become ‘special categories of personal data’ and include genetic and biometric data;
  • Privacy notices – these will need to include more information;
  • Privacy impact assessments – these will need to be undertaken if ‘high risk’ processing is being undertaken;
  • Appointing a data protection officer – this will be mandatory in certain circumstances;
  • Reporting data breaches to the regulator – where feasible, this will need to be done within 72 hours of awareness, unless there is unlikely to be a risk to individuals. Individuals affected by the breach may also need to be notified; and
  • Data processors – the GDPR will apply directly to data processors. Contracts between data controllers and processors will need to include more provisions.

What should businesses be doing now?

Even though there is still more than a year to go, businesses should be starting to prepare now, as for many there will be a lot to do. To assist, the ICO has published a 12 step guide for businesses, which is worth a read. In addition, the ICO will be producing guidance to help with interpretation of the GDPR; its guidance on consent is currently in draft form. However, with the best will in the world, it is likely that even as we approach May 2018, there will still be uncertainty on aspects of the GDPR. For those responsible for data protection, it will be a case of staying tuned to the ICO website/Twitter feed, attending training sessions, reading articles and seeking external advice, where needed, to ensure they are armed with the best information to take forward compliance within their own organisations.