New Data Protection Regulations – Are you ready?
July 13, 2017
Data protection has always been considered a key concern for big business. High profile data breaches in recent years highlight the scale on which data is now gathered and the risks inherent with collection of data en masse.
It has been almost two decades since the UK Data Protection Act was introduced in 1998. Since then, the internet has become critical to the success of most, if not all, organisations. Furthermore, the rise of social media and cloud storage have dramatically changed how an organisation markets its products and services.
However, data protection may not have been at the top of the small business owner’s ever-growing list of priorities. With the introduction of the EU General Data Protection Regulation (GDPR) on 25 May 2018, this will need to change.
What is GDPR?
The General Data Protection Regulation (GDPR) is the new EU privacy directive designed to harmonise data protection practice across Europe. The new legislation will offer more protection to citizens and their data. Individuals will be required to give explicit consent for their data to be collected and organisations will need to be clear as to their intended use of the information; gathering data without any purpose will no longer be possible.
GDPR will also enable the existing right of individuals under the UK Data Protection Act to request access to their private information, giving individuals the right to have their information removed from any record where their personal data is held with no compelling reason.
This means that all businesses will have new obligations and responsibilities and consideration needs to be given now as to how they will comply before GDPR comes into force next year.
But won’t Brexit mean my business doesn’t need to comply?
The Government has confirmed that the decision to leave the EU will not affect the introduction of GDPR; significantly, the legislation will apply to any organisation supplying goods and services to EU citizens and so any UK business exporting to the EU will need to comply irrespective of Brexit (‘hard’, ‘soft’ or otherwise).
For businesses whose activities are limited to the UK, following Brexit, the position is less clear but the Government has suggested that even after Brexit, equivalent legislation will be brought into effect.
The regulations will also apply irrespective of size, meaning listed companies and SMEs will be subject to the same rules.
What will my business need to do?
In order to ensure the regulations are adhered to, some business will need to appoint a Data Protection Officer (DPO). The DPO will need to be external to the IT function and will normally be a director or other individual in a position of significant influence. The appointment of a DPO is specifically required for certain types of organisation (see website of the Information Commissioner’s Office (ICO) for more details https://ico.org.uk/for-organisations/data-protection-reform/). The need to appoint a DPO should be assessed on a case-by-case basis.
A key business activity affected by GDPR is sales and marketing. Businesses that regularly run email marketing campaigns will need to be able to demonstrate that recipients have explicitly opted in to receive your marketing electronically by keeping a formal record of when, where and how the opt in was made.
GDPR also means that robust processes must be established for detecting and responding to data breaches. Any breaches will need to be reported to the ICO within 72 hours.
We would therefore recommend conducting a review of how your business would respond in the event of a data breach and start formulating a plan for implementing any improvements.
So what next?
In the short term, we recommend taking the following steps:
• Designate someone within your business to take responsibility for compliance with GDPR and ensure they’re properly trained.
• Establish what personal data your business is storing and how.
• Assess how your business would respond in the event of a breach – could any improvements be made?
• Make sure you understand the regulations – the ICO website provides a wealth of information on GDPR, including a 12-step guide on how to prepare for the new legislation. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf.
This article originally appeared on the blog of MHA member firm, Larking Gowen.