Described by the Information Commissioner as “the biggest change to data protection law for a generation”, the General Data Protection Regulation (GDPR) is Europe’s update to data protection law that comes into force across the whole of Europe (including the UK) on 25th May 2018.
If you process personal data, that means you have just over 8 months to get your data, systems and policies in order and compliant with the new rules. Whilst in a general sense the GDPR is not too far from the current data protection regime in the UK (the Data Protection Act 1998) there’s a number of significant changes coming that will impact the way you use personal data in your business.
Its aim is to bring data protection up to date for our digital, data driven era and to make organisations more accountable for their data processing activities, whilst protecting the privacy and interests of EU citizens.
At 88 pages, 99 Articles and 173 Recitals the GDPR is a complex piece of legislation, but in a nutshell, some of the more significant changes can be summarised as:
- liability and responsibility for organisations seen as data processors
- new rules for when you’re using consent as the lawful basis for processing (e.g. when collecting data for marketing purposes)
- certain requirements for the recording of processing activities (e.g. when consent is the lawful basis for processing)
- new data subject rights: the right to be forgotten and the right to have your data exported in a portable format
- introduction in law of data protection by design and default along with use of Data Protection Impact Assessments
- the requirement for some businesses to appoint a Data Protection Office (DPO) responsible for data protection compliance in a business
- the requirement, in some circumstances, to report data breaches to the Information Commissioner’s Office and those affected by the breach (i.e. the data subjects)
- the potential for increased fines for failure to comply – up to 4% of global turnover or €20m in some cases
And if that’s not enough, add into the mix:
- the new ePrivacy Regulation (which will replace the UK’s Privacy and Electronic Communications Reg, possibly at the same time the GDPR comes into force)
- Brexit and the implications of the UK becoming a “third country” from a GDPR perspective
- the UK Government’s proposals for a new Data Protection Act
So, if you’re not already thinking about how the GDPR may impact your business, with only 8 months or so to go, now’s probably the time to start thinking about it. At the very least, audit your data, data flows, systems and policies across your business and consider how the GDPR will impact them – this will give you an idea of what you’ll need to do and the scale of what’s needed to be compliant.
But don’t worry, help is at hand. Flavourfy Digital offers a number of services that can help your business including the Digital Compliance Hub. We can do everything from pointing you in the right direction to taking care of it all for you.
Whatever you do, don’t stick your head in the sand and think it doesn’t impact you – if you process personal data (data that identifies an individual) then it does. And, don’t think Brexit will save you – if anything, it complicates things, but for sure the GDPR is here to stay before the UK leaves Europe and after we’ve left.
Act now, whilst you’ve still got time.