The GDPR will apply in the UK from 25 May 2018.
The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. The ICO is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals. Having clear laws with safeguards in place is more important than ever given the growing digital economy.
Who does the GDPR apply to?
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA (Data Protection Act) – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.
If you are a processor (ie the business owner), the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given. Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process their data.
You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
So how does this affect you?
It may affect you significantly, whether your business is large or small you have to comply with new regulations regarding the secure collection, storage and usage of personal information.
But the good news is that the GDPR recognises that smaller businesses require different treatment to large or public enterprises. In fact, Article 30 of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR – although there are several stipulations below that mean they probably still should.
The key stipulations of GDPR are:
Firms of over 250 employees must employ a Data Protection Officer (DPO). This person is responsible for ensuring that a business collects and secures personal data responsibly.
GDPR will also apply to small businesses under 250 employees if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9.
Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.
Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.
Failure to comply with the GDPR will lead to heavier punishments than ever before. Under current rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice but the GDPR will be able to fine up to €20 million or 4 per cent of annual turnover (whichever is higher).
Better management of your data has to begin with discovery. GDPR will mean that every piece of personal information held by your business needs to be identified – even if it’s on a mobile device or in the cloud.
Properly implemented, data discovery will often lead you to data that you did not know about. When you understand where you’re holding personal data, you’ll then be able to better monitor compliance and the processes involved in dealing with that data.
Being aware of the new regulations and what they mean for your business is vital. So don’t stick your head in the sand and wait for it to pass. After all, once the GDPR arrives, it’s here to stay.
These changes will undoubtedly impact many businesses across the UK on how they market and hold data. Many of us use telemarketing to book appointments for our BDM’s – moving forward this approach will require adjustment and we have a unique solution that will deliver results every time.
We work with our clients in providing a tailored approach on sales & marketing and ensure we meet all the regulations. Can you really afford to be at risk – call us today on 0800 699 0533 for a free no obligation discussion on how we can help you or email us on firstname.lastname@example.org
For further advice on GDPR please contact https://companyconnecting.com/