The General Data Protection Regulation (‘GDPR’) comes into force on 25 May 2018 and is the largest overhaul of data protection since the 1998 Act.
The GDPR brings with it a requirement for you to:
- Identify or recruit a Data Protection Officer if you carry out regular and systematic monitoring of individuals on a large scale, or your core activities consist of processing special categories of data (sensitive personal data)
- Review and update your policies and procedures (or draft some if you don’t have any). It will no longer be enough just to comply with the Data Protection Principles. You will also need to demonstrate your compliance, and the best way to do that is to prepare and implement robust policies and procedures, and ensure all your staff and volunteers are trained on at least an annual basis
- Review consent – the requirement for valid consent has been raised to requiring ‘clear affirmative action’ and for sensitive personal data (now called special categories of data) consent must be ‘explicit’ – so silence, pre-ticked boxes or inactivity is not valid consent – and you have to be able to withdraw consent For many public authorities consent will not be an appropriate means of justifying the processing of personal data (though will still form an important role in being fair and transparent in the use of personal data and another justification such as performance of a public task, will be more appropriate
- Update and get ready for new timescales for compliance with Subject Access Requests – the 40 day timescale is reducing to a month (and that’s not 28 days or 30 days but a month, so one month of the year you will only have 28 days to respond, other months you’ll have 31 days). You will no longer be able to charge for Subject Access Requests (unless the government utilises its power to derogate from this – it is unknown whether it will do this), so you may find they drop off in the early part of 2018, but brace yourself for an increase from 25 May onwards. If you currently deal with a large number of requests, you should consider providing electronic access only to save on costs.
The purpose of the GDPR is to enact a single data protection law across Europe, to give enhanced rights for individuals, greater and more prescriptive obligations on those that process personal data and serious consequences for non-compliance.
So even though we are leaving the EU, because we won’t have left the EU by 25 May 2018, the GDPR will be applicable to us, and even after we leave the EU, the government has indicated we will still choose to follow it, as it will assist those organisations that continue to operate in and trade with EU countries.
There are some bonuses to data controllers – you don’t have to register with the Information Commissioner any more but, as the ICO is partly funded through a fee regime, we may yet hear from central government that there will be a new fee regime or regulatory system approach.
Enforcement will potentially be the biggest blow though. There will be two tiers of fines:
- Tier one: up to 2% of annual turnover or €10,000,000 (whichever is higher)
Tier two: up to 4% of annual turnover or €20,000,000 (whichever is higher)
Please contact us if you would like to discuss how any of the above affects you and your organisation.