Partner and Head of Wills & Estate Planning at Andrew & Co Solicitors Helen Newson writes...
Are You and Your Company GDPR Ready?
The General Data Protection Regulation (GDPR) has replaced the old data protection legislation, and will be applicable EU-wide from 25th May 2018. It may seem like a long way off, but you need to start asking yourself what personal data you hold, where it came from and who you share it with now as putting the necessary procedures in place could take some time.
Irrespective of when the United Kingdom leaves the European Union following Brexit, one thing is for certain – the GDPR will take effect, and you and your company will be held accountable if you do not comply with the regulations.
There are certain aspects that you must be familiar with, including:
Under the GDPR, consent must be informed as to the purpose for which information is being obtained, and the data subject (the individual you are obtaining information about) must give it freely and specifically for the informed purpose – it is not enough to form consent through pre-ticked consent boxes or silence.
If you have already been given data protection consent from a data subject, you will not be required to 're-obtain' all existing consents for compliance with the GDPR.
The Right to Erasure
Commonly referred to as 'the right to be forgotten', the right to erasure deals with a data subject's ability to request for their personal data to be deleted or removed. Personal data can be removed when there is no longer a compelling reason to continue with its processing.
It must not be forgotten that an individual's 'right to be forgotten' is not an absolute right. Individuals have a 'right to be forgotten' in certain circumstances, including:
- when consent from the individual is withdrawn; and
- when personal data is no longer being used for its originally intended purpose.
One significant introduction by the GDPR is that there will now be a duty on all organisations to report certain instances of data breaches. What constitutes a personal data breach is wide, and covers the loss, alteration, destruction or unauthorised disclosure of personal data.
Because of the potential damage caused by a data breach of individuals, such as financial losses, you must report a data breach within 72 hours to your relevant supervisory authority, as soon as you become aware of the breach. Note that this 72 hours is not limited to business days only!
Do not fear this 72-hour time-frame however: the GDPR acknowledges that fully investigating a breach within this time-limit can be nearly impossible and allows you instead to release information on breaches in a number of phases.
Failure to Comply
If you are found not to be compliant with the GDPR, you and your business could face fines from the Information Commissioners Office of up to €20M, or 4% of annual group global turnover, whichever is greater.
Unfortunately, it is no longer an issue of 'if' you will suffer a data breach, but 'when'. So how have you been preparing?
If you require further information on the GDPR and what action you should be taking, you can visit the Information Commissioner’s Office website for a step-by-step guide.