In approximately six months’ time on the 25th May 2018 the UK will see the introduction of the General Data Protection Regulation (GDPR) – the biggest change in data privacy regulation in 20 years.
nn
With the huge increase in data, the aim of the GDPR is to provide protection to all EU citizens from data protection breaches and the Government has confirmed that Brexit will not affect its implementation.
nn
The GDPR is similar to the Data Protection Act and it applies to personal data but it is more detailed. For example, it can include IP addresses which reflects technology changes and how information is collected about individuals.
nn
The GDPR principles are similar to those in the Data Protection Act and include the requirements that data should be processed lawfully, collected for specified and legitimate purposes, be adequate relevant and not excessive, be accurate, kept no longer than necessary.
nu200b
nThe principles include added detail and there is a new requirement of accountability which requires organisations to show how they comply with the principles. For example, an organisation may need to document the decisions taken about a processing activity.
nn
There are also new provisions for the protections of children’s personal data. Where services are offered directly to a child, the privacy notice must be clearly written in a way that a child can understand.
nn
The GDPR strengthens some of existing rights of individuals under the Data Protection Act but also adds new rights such as the right to data portability. This allows individuals to obtain and reuse their personal data for their own purposes across different services. There is also the new right to erasure which in broad terms permits individuals to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
nn
As a first step in complying with the GDPR organisations should undertake an audit of all data held on individuals and the reasons why it is held and look at appointing a senior person who will take responsibility for this within the organisation. Policies for handling data will need to be updated, staff will need to be trained and individuals fully informed of the data being held.
nn
The new rules will introduce tighter timescales for responding to subject access requests. An organisation currently has 40 days but from next May requested information must be provided without undue delay and within one month of the request at the latest and no fee can be charged.
nn
Organisations which breach the GDPR face higher penalties of up to €20 million or 4% of annual turnover so it is important to act now and take the necessary steps.
nn
If you would like further information or support for your business please contact Sheila Watson on 01429 857082.