By Patrick Stewart
General Data Protection Regulations (GDPR) take effect on 18 May 2018. The regulations will make significant changes to data protection rules and, in particular, will afford additional protection to individuals who are data subjects. Authorities will have the power to impose significant fines for breaches. Organisations that hold data need to begin preparation for the new regulations now.
The regulations emanate from the EU, however, the Government has indicated that they intend to retain the regulations even after Brexit and will put them into legal effect.
Whilst the existing rules regarding data protection will continue to apply, the principal changes are:
Privacy notices – when collecting personal data, the individual must be informed of the lawful basis for processing the data, the data retention periods and that the individual has a right to complain to the Information Commissioner’s Office (ICO) if they suspect there is a problem with the way their data is being handled.
Subject Access Requests – the 42 day maximum period to comply with data access requests is reduced to 1 month and the right to charge a fee for providing information will no longer be allowed.
Right to be forgotten – this has now been given regulatory effect. Data cannot be retained where there are no legal grounds for doing so.
Children – under 16s benefit from additional protection. Consent must be given by a parent.
Obtaining individual’s consent to general processing of data is the mechanism most often used at present to justify the processing. Employers often include such a clause in the contract of employment. By signing the contract, the employee has given consent to the processing of data about them by the employer. This will not be possible under the new regulations.
Whilst consent will remain, it will have to be explicit, freely given and specific to the data processing which is envisaged. Furthermore, it cannot be included within a document seeking to cover other matters. Therefore the consent clause in an employment contract is unlikely to meet the standard which will be required - there will need to be a separate consent document.
The ICO will have power to levy fines for data breaches and general non-compliance. These fines have a maximum of €20m or 4% of the organisation’s global turnover. This is a maximum, but the authorities are required to consider penalties to be effective, proportional and dissuasive.
Finally it is not sufficient for the company to comply with the regulations, it must be able to demonstrate such compliance.
The ICO (www.ico.org.uk) provides guidance as to the regulations. A starting point would be to review current processes and procedures and see to what extent a company is compliant with the regulations. Remember there will need to be time ahead of next year to review, make alterations where necessary, consult with staff and train staff on the new procedures.
For further information, contact firstname.lastname@example.org
For further details about our expertise in this area, please Click Here