If you haven’t already started, time is running out to prepare for the biggest change in data protection in a generation with the implementation of the European Union’s General Data Protection Regulation (GDPR).
On May 25, 2018, the GDPR will replace the 1998 Data Protection Act and 1995’s Data Protection Directive 95/46/EC following a two-year post-adoption period. The GDPR is designed to harmonise data privacy laws across Europe, protect and empower citizens’ data privacy, and reshape how organisations deal with data privacy.
Any company handling data that relates to EU citizens will have to comply with the new regulation or face financial penalties.
The GDPR applies to all organisations working within the EU and also to those outside EU borders who provide products and services to customers within the EU.
Despite the British Government currently negotiating the UK’s department from the European Union, it will implement the GDPR on May 25 along with the other 27 members of the EU.
Controllers and processors
Personal data means data relating to a living person who can be identified from that data or from data combined with additional information held by the person controlling the data. It covers names, addresses and telephone numbers and, to reflect the changes in the last two decades in a reflection of how we share our information, it also includes IP addresses and other online identifiers.
So, what does the GDPR mean in practical terms? The regulation divides companies into two brackets – controllers and processors. Controllers say how and why personal data is collected; processors use that information on the controllers’ behalf.
Processors will be legally obliged to maintain records of personal data and any tasks involved in processing data. Controllers must ensure all contracts with processors comply with the GDPR.
The GDPR will place specific legal obligations and liabilities on processors, such as maintaining records of personal data and processing tasks. Controllers will also be required to ensure all contracts with processors comply with the GDPR.
Introducing effective controls
The biggest change is that data collectors and controllers will have to regard the information they have as simply on “loan” from the customer. It is no longer an asset but, in fact, a liability. This means a cultural change in how companies handle the data they collect.
The GDPR introduces the principle of “accountability” – firms will have to carry out risk assessments on their data controls by examining what they intend to do with the data they collect and mitigating the risk of breaches or theft of personal information, among other responsibilities.
Some larger organisations may need to appoint a data protection officer where they collect data on a large scale that needs to be monitored regularly.
Other changes include:
- Companies must ensure they only collect information specific to the service they’re providing;
- Use accessible language to ensure customers gives their consent;
- Notify the authorities of a data breach within 72 hours;
- The “right to be forgotten” is enshrined where the subject can have his or her personal data erased and insist there is no further use of the data by any third party;
- Privacy by design where data protection is part of a system’s core design rather than an addition.
Companies that do not comply with the GDPR will face financial penalties. The maximum fine is 4 percent of global turnover or £20 million, whichever is greater, with fines of 2 percent levied for not having records in order or not reporting a breach, for example.
Help on implementation
The General Data Protection Regulation will be covered in full detail at the next Inside Conveyancing & Legal Update conference in Leeds on April 24 when Jody Evans, Business Development Director at Legal Eye, will discuss how to prepare for its implementation. Book your place now.