2nd May 2018
Are you ready for the GDPR?
If you haven’t yet got to grips with the new GDPR provision then time is running out. The regulation comes into force on 25May 2018 and has far-reaching implications for all businesses, large or small, in how they manage personal data.
Failure to heed the regulation could have serious consequences, with fines up to €20m or 4% of annual turnover. For a detailed overview, the Guide to the General Data Protection Regulation (the GDPR) on the website of the Information Commissioner's Office sets out the steps that businesses need to take in order to comply with the requirements.
The new regulation
The EU General Data Protection Regulation is not exactly new, having been introduced in early 2016. However, it takes effect two years later on 25 May 2018 -- a date that is now rapidly approaching. The GDPR brings European data privacy laws into line. It also recognises that 20 years have passed since the Data Protection Directive, which it replaces, came into force and the intervening period has been one of technological changes to the way data is collected, held, communicated and shared. Its aim is to protect and empower all EU citizens regarding the privacy of data pertaining to them and to reshape the way organisations across the region approach the subject.
The regulation starts: 'The protection of natural persons in relation to the processing of personal data is a fundamental right ... everyone has the right to the protection of personal data...' So how is that right protected by the GDPR? Three elements of territorial scope, a penalty regime and the tightening up of consent requirements are important.
- The new regulation clarifies that it applies to all businesses processing personal data of data subjects in the EU, regardless of the company's location. Whether or not the processing takes place in the EU, the GDPR will also apply if the activities relate to the supply of goods or services to EU citizens and this is monitored from within the EU.
- A breach of GDPR can result in a maximum fine of the greater of up to 4% of annual global turnover or EUR 20m. Lesser penalties can apply and controllers and processors are also liable to fines, so data stored in the cloud will not be exempt from the GDPR.
- Rather than legalese and lengthy terms and conditions, requests for consent to store and use data must be intelligible and easily accessible. Further, the withdrawing of consent must be as easy as the granting of it.
Rights and obligations
The GDPR sets out various rights and obligations to protect the interests of data subjects.
- If a data breach is likely to 'result in a risk for the rights and freedoms of individuals', notification of this must be made within 72 hours of this coming to light. Customers must also be notified 'without undue delay'.
- Data subjects have the right to ascertain from a data controller whether their personal data is being processed and how it will be used. If required, the controller must supply a copy of the personal data, free of charge and in an electronic format.
- The GDPR includes a 'right to be forgotten'. If requested, a data controller must erase the personal information of a data subject. If data is no longer relevant it should also be deleted.
- The concept of 'data portability' is introduced by the GDPR. A data subject can obtain particular data to enable them to pass this to another controller.
- The concept of 'privacy by design' is an integral requirement of the new regulation. The protection of data is a fundamental principle that has to be taken into account when systems are being designed, rather than something that is considered later.
- · Naturally, there are record-keeping requirements. It will only be necessary to appoint a data protection officer for controllers and processors whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale or of special categories of data or that relating to criminal convictions and offences.
Advisers who are unsure as to their obligations need to familiarise themselves with the ICO guidance.
The ICAEW has published a checklist for practitioners on the public section of its website.
The CIOT also offers a set of FAQs which has been reviewed in conjunction with the Information Commissioner’s Office, although users are reminded that the guidance is not a substitute for taking appropriate legal, IT and other professional advice.
Request a FREE 1 week trial
Please note that all fields marked with a * must be filled in