Yes. It’s true. Even with Brexit, businesses outside the EU who target customers in the EU will be subject to the General Data Protection Regulation (GDPR) which will replace the current Data Protection Act 1998/EU data protection regulation 2016/679 next year. The changes are both momentous and bold!
Maybe you always played by these rules but if not then implementing the changes as soon as you can is advised and will not only ensure that you are compliant when the GDPR enters into application from May 2018, but will maintain your Data Protection Act 1998/EU data protection regulation 2016/679 compliance in the interim.
Approaching GDPR compliance – where to begin
Whilst each business will have its own compliancy to take care of, the following represents common areas to look at and be prepared to implement where required:
- Carry out a full audit trail of all electronic (and paper) files. Identify, assess and record what Personal Data you hold, where it came from, who you might share it with and why;
- Be clear about the ‘legal basis’ upon which you process an individual’s Personal Data. Reasons could include legal compliance from an industry governing body e.g. a pharmacist governed by the Care Quality Commission, for contract compliance purposes or for the continued fulfilment of legal obligations;
- Consent from an individual under the GDPR must be “freely given”, “specific”, “informed” and “unambiguous”. When you obtain consent from an individual, you must consider whether it is given freely, whether the wording used to obtain it is specific and informs the data subject fully about what is to be provided and what it will be used for;
- Your privacy statement must be available to the data subject prior to the data being collected;
- Despite resistance, you must always present the express opt-in route and NEVER have any pre-ticked boxes. Pre-ticked boxes, acquiescence or inactivity will not be considered to be consenting;
- All privacy policies must expressly include the right to make a Subject Access Request. The business must comply within 1 month and can only charge a fee for additional copies;
- There will be practical IT issues i.e. a business must be able to “withdraw consent” easily i.e. permanently delete it and not just delete it from one record or mailing list. The data subject has a personal “right of erasure” which is also known as the “right to be forgotten”;
- The data subject also has a “right of rejection” which is the right to have something corrected;
- Portability of Personal Data from one IT system to another and to third parties at the request of an individual must be securely possible;
- A business can send marketing communications to an individual by post or by “Electronic Mail” which includes email, text, video, voicemail, picture and answerphone messages (including push notifications and in-app notifications). The consent sought for this is often all-encompassing i.e. an individual will consent once to authorise all of it. Some companies provide the bonus of having account preference options where an online user can select or de-select these different methods. Under the GDPR, the opt-ins may need to be separate, express and specific as well as the opt-outs. This will be arduous but necessary!
- Where a business detects a security breach (which has its own definition but is pretty wide), the business will need to deal with it and report the details and scale of the breach to the Information Commissioners Office (ICO) within 72 hours;
- A business must undertake regular Data Protection Impact Assessments. For this, costs of IT, nature of processing and the risk to the data subjects can be taken in to account;
- Where the activities of a business involve the systematic and regular monitoring of Personal Data on a large scale, or, the processing of Sensitive Personal Data on a large scale, it is a requirement under the GDPR that a Data Protection Officer is appointed;
- Business will no longer be required to pay an annual fee to ico.gov.uk;
- Fines of up to 4% of annual worldwide turnover or a maximum of 20milion Euros could be imposed by the ICO!
- Cookies…well, after “explicit” consent opt-in was first introduced and then relaxed, industry has relied on the “implied” consent option but it looks like there may be a return to the former! Not so welcome for the business world but maybe welcome more welcome for individuals!
Please get in contact with use at firstname.lastname@example.org or call us on 0800 6894168 if we can help you with any of this!