On 25 May 2018, the General Data Protection Regulation ("GDPR") will come into force; imposing uniform data protection laws across all EU member states in an effort to harmonise national laws, and thereby creating additional obligations for many UK businesses that process personal data.
Failure to comply with the new GDPR may expose businesses to a fine of up to the greater of €20 million or 4% of annual revenue. With this in mind, businesses should begin to make any and all internal organizational changes necessary to ensure compliance. We recommend taking the following preliminary steps:
- Assess whether the GDPR will apply to you. The new law will apply to both EU and non-EU data controllers and data processors who either (1) offer goods or services to data subjects in the EU or (2) monitor data subjects' behaviour insofar as their behaviour takes place within the EU.
- Appoint a Data Protection Officer (or similar). Certain companies will be obligated to appoint a Data Protection Officer ("DPO") to discharge the entity's responsibilities under the GDPR. Companies that are not so obligated will nevertheless need to ensure that someone within the organisation is responsible for achieving the same objective.
- Conduct a risk assessment. Businesses need to assess the degree of risk that their data processing has on data subjects. The Information Commissioner's Office ("ICO") recommends that, amongst other things, businesses create and maintain a record of the personal data they hold including details of where it came from, how it they are processing it1, and the legal basis for such processing.
- Update your privacy notices. Before collecting personal data, businesses will need to provide data subjects with more information than was previously required; including the details of the DPO, the legal basis for processing the data, data retention periods, the individual's right to complain to the Data Protection Authority if they take issue with the way their data is handled, data transfers to other countries, etc.
- Ensure that you have been and are continuing to collect the appropriate consents from data subjects to process their data. Under the current law, a data subject must give "consent" to the processing of their regular personal data and "explicit consent" to the processing of their sensitive2 personal data. Under the GDPR, both types of consent must also be shown to be freely given, specific, informed and unambiguous. Consent must also be revocable, i.e. the data subject must at any time be able to withdraw their consent.
- Ensure that all of your policies, procedures and processes protect the new rights of data subjects. The rights of data subjects are set to be expanded under the GDPR: individuals will now in certain circumstances have (1) the right to request that businesses delete their personal data, (2) the right to receive within 1 month a copy of the personal data held by businesses in a commonly used and machine-readable format, and (3) the right to transmit those data to another controller.
- Review your procedure for dealing with data breaches. Businesses must ensure that their response procedure in the event of a data breach are aligned with the new "breach duty notification" which in some circumstances will require businesses to notify the relevant Data Protection Authority of a data breach within 72 hours.