Significant advancements in technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Individuals are increasingly making personal information available publicly and globally and there is increased ease with which data may be collected, transmitted, stored, manipulated and, most importantly, disseminated. These developments, together with a general increase in awareness of fundamental rights, particularly the right to privacy, have led to legislative changes and the emergence of a new regime of privacy protection.
The revised EU data protection regime is set out in the General Regulation of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR). The GDPR will be directly applicable in all EU member states on 25 May 2018
Who does the GDPR apply to?
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the Data Protection Act 1998 (DPA) – i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
What information does the GDPR apply to?
The GDPR defines personal data as “any information relating to a data subject” whether stored electronically or on paper. A data subject is the identified or identifiable person to whom the personal data relates. A person is identifiable if he or she “can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity” of that person. For example, an IP address or cookie identifiers can be personal data.
The protection of natural persons in relation to the processing of personal data is a fundamental right.
What do I need to do?
The regulator recommends that firms take 12 steps:
- Awareness – How aware are your management team of the impacts of the GDPR?
- ICO’s Code of Practice – Have you undertaken a gap analysis?
- DPO – Where needed, have you designated someone to take responsibility for data protection compliance?
- Existing information – Do you know what personal date you currently hold?
- Privacy notices – These may well need to be updated for the GDPR
- Rights – Do your processes give individuals the rights they should have?
- Subject Access Requests – Will you be able to meet the new timescales?
- Lawful basis – Have you documented and disclosed the lawful basis for processing data?
- Consent – Have you reviewed your processes on how you seek, record and manage consent?
- Children – Do you need systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity?
- Breaches – Have you processes to detect, report and investigate breaches?
- International – Have you considered international aspects and do you know your lead supervisory authority for data protection?
Getting it wrong could be very costly
The GDPR introduces much higher penalties. For example, for the most significant breaches, firms can be fined up to €20m or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. And be aware, the UK’s ICO does investigate and fine firms on a regular basis – they go after all types and sizes of firms, not just the big ones
How can Bovill help?
We are very familiar with implementing regulatory change – We draw on lessons learnt, good and bad practice, our experience working with comparable clients and messaging from the regulator. Get in touch now.