The new GDPR (General Data Protection Regulations) came into effect on the 25th May 2018. It affects all U.K. businesses that have access to any form of customer data. The date for this new legal framework is rapidly approaching. There are two key questions here: Do you know what GDPR is? And are you ready for it? If you are unsure about either of these questions then we can help you!
So, what is the GDPR?
The GDPR is a regulation (Regulation (EU) 2016/679) by which the European Parliament, the Council of the European Union and the European Commission aim to strengthen and unify data protection for everyone within the European Union. This is the biggest change to data protection regulations in over two decades and is going to have a significant impact on businesses and organisations that handle personal information.
The GDP will change how businesses process and handle data. It builds on what is currently within the Data Protection Act (DPA) but with additional details and a new accountability requirement. You will now be required to demonstrate how your business complies with these principles.
The GDPR contains 99 articles that set out the rights of individuals and the obligations of organisations that will be placed on businesses and public sector organisations that are covered by the new regulations, this includes allowing individuals to have easier access to the information that you hold about them, stricter responsibilities for organisations to obtain consent from the individuals that they hold information about along with a new fines regime.
But if it is a EU initiative and we are leaving the European Union, then why does this matter?
The government has confirmed that the UK’s decision to leave the EU will not affect the implementation of the GDPR. Provisions in the UK will be covered by the Data Protection bill which has been published by the government. This bill was published on the 14thSeptember 2017 and will now pass through both the House of Commons and the House of Lords until ultimately it becomes law.
Will it affect me?
The GDPR applies to both ‘controllers’ and ‘processors’ and the definitions for these and similar to those in the current DPA (Data Protection Act). In simple terms, the controller says how and why personal data is used and the processor acts on the controller’s behalf. If your business is currently subject to the current Data Protection Act, then chances are that you will also be subject to the new General Data Protection Regulations. Both personal data and sensitive data is covered by the GDPR.
If you are a processor the GDPR places specific legal obligations onto your business that are a new requirement under the GDPR. If your business is responsible for a breach of these obligations then there is a significant legal liability upon you. If you a controller, then you also have obligations under the GDPR to ensure that your contracts with any processors are fully compliant with GDPR.
As well as applying to businesses that operate within the UK and the EU, it also applies to businesses that offer goods or services to those that are within the EU.
So, what do I need to do?
If your business is currently DPA compliant then you have a good basis from which to start. However, under the GDPR there are additional requirements that will be new to you as well as an increased priority on some of the elements from the DPA. Therefore, there will be some processes that you will need to improve, and some new processes that you will need to introduce.
As a business, it is essential that you start planning your approach to GDPR early to ensure that you have left sufficient time to gain support from the key people in your business and those that you work with. Starting early will also allow you the time to implement new procedures and improve existing ones. For some businesses, this may require making significant changes to your IT systems, websites or electronic storage, all of which can be time consuming.
How can you help me?
We are able to offer consultancy to venues to discuss how GDPR affects you and devise a plan to ensure that you are GDPR compliant in all areas of your organisation.