GDPR Starts Now | Law Hound

GDPR Starts Now

We know – data protection is not generally considered to be one of the most scintillating topics of conversation. It’s seen as dry and often gets filed away in the ‘read later’ pile.

The time to focus on it is now, it’s going to be impacting on all B2B contracts and every business is affected. Changes are coming to data protection and will be in force by 2018 with the General Data Protection Regulation (GDPR)which aims to update and strengthen data protection. You need to get started now to be fully compliant.

Your business can either be an ostrich (bury its head and assume/hope it will just pass you by) or, get a grip on what is needed and start taking control by acting right now. So for those of you who don’t see the benefit of putting pressure on yourselves and leaving things to the last minute, here’s our introduction to the main changes we can all expect from GDPR:-

(1) Broad personal data

There is going to be a broader definition of what personal data means/covers which is likely to be based on what data could “single out” (identify) an individual. So, this is likely to include

  • cookies
  • IP addresses

What does that mean for my business?

Start by making sure that you understand what personal data is and then have a plain English comprehensive policy in place which is adhered to which means that you

  • only collect data that you need and
  • store data for no longer than needed and
  • aggregate and/or anonymise that data, where possible so it is not longer personal data

(2) Consent

The definition of consent in data protection terms is changing. Consent must now be

  • informed
  • specific
  • unambiguous
  • freely given

In addition, if you collect data about children (this will probably be defined as those under 13) then you may need to look at the consent of their “grown-up” (parent or carer etc).

What does that mean for my business?

Gone are the days where a vague line or two skilfully hidden in terms and conditions which an experienced explorer would be hard pushed to find, will do.

You will need to

  • review how you obtain consent (the method) and check it meets the forthcoming changes
  • understand that consent can be withdraw at any time and decide what you can do and what alternative (if any) you can rely on to process data
  • ensure that if you need consent for children your information is appropriately accessible to children – this means child friendly terms

(3) Transparency – more information

You must provide more detailed information about who you are and how you will be using data. You will also be obliged to ensure that data subjects know their rights.

What does that mean for my business?

Your data/privacy policy needs to be reviewed and updated to include more information at the time you collect data, such as your name and contact information, as well as reminding “data subjects” of their rights.

(4) Prove your compliance

GDPR is about accountability and documenting what you do. Data controllers and data processors need to

  • say what they do and
  • do what they say

What does that mean for my business?

  • potentially carrying out impact assessments (a must where there is high risk data processing proposed)
  • written policies and process which you implement/follow
  • record what you do so you can prove it

(5) Self-reporting breaches to those concerned

When data protection breaches happen, your business needs to:

  • let the ICO (information Commissioner Office) know within 72 hours of the breach
  • provide details of the data subjects, data types and mitigation steps
  • let individuals who are affected know without “undue delay” if the breach is likely to mean a “high risk” (i.e. sensitive data is at risk) to them

What does that mean for my business?

There is no more of those “failing to find” issues (whoops who put that massive 10 foot wall right in front of my face that I didn’t notice) type scenarios businesses enjoyed before these new changes. Your job is to

  • quickly identify data breaches and
  • who/what is affected and
  • report this to the ICO and
  • detail your plan to deal with it (recovery/mitigation) and
  • check that those who provide services to you (IT) will comply too so you can carry out your duties

Hint: the recovery/mitigation plan needs to be in place before the breach occurs. Leaving it until a breach occurs is not an option.

(6) Greater sanctions

There will be greater sanctions for data protection breaches and non-compliance. For example, fines for serious breaches will cost you up to an eye-watering €20m or 4% of your global turnover.

What does that mean for my business?

Without wishing to state the obvious, if this isn’t a good reason to plan things our properly, what is?

Is that all of GDPR?

No, not quite. There are some other issues which will impact on some businesses such as more responsibility/ accountability for data controllers

Surely, I don’t need to bother about this because of Brexit do I?

Yes, you do. This will be in force in English Law.

Of course, Brexit will bring changes and nobody can predict those at this stage. However, one thing we can guarantee is that on “leaving day” every single piece of UK legislation which adopts an EU directive is not going to suddenly melt away, data protection law included. Anyway, so far the UK government have agreed they will be implementing the GDPR – so there we have it, ignore it at your peril.

Get Started Today

These changes are coming. Let’s get started on compliance today, its less expensive and you sleep better at night by being proactive. Reactive next year will make things that much harder. Call us on 01244 300413 today or use the live chat box to get in touch about how we can help.

    Law Hound