The countdown is on until the General Data Protection Regulation (GDPR) applies. From 25 May 2018, any business that holds or uses data about individuals will be affected by the rules, which introduce onerous obligations which will take some time to prepare for.
Modern businesses already routinely collect and process significant personal data about employees, suppliers and customers. The trend towards direct contracting with individuals for services, such as green waste collections, wheelie bin cleaning or recycling incentive schemes, is likely to increase that.
A business might typically hold email and residential addresses, telephone numbers, dates of birth, complaints and customer relationship management records, credit card details and employee records, all of which would be caught by the rules. The penalties for breaching the GDPR could cripple businesses, with dramatically increased fines of up to 4% of annual turnover or e20m (£17.7m) , so businesses should take steps to comply without delay.
Consent for data processing activities will be harder to obtain. If a business relies on the individual’s consent as a legal basis for such activities, which many do, it will need to ensure that any consent it obtains shows a positive agreement from the person who gave it and that they clearly understood what they were consenting to. It will no longer be enough to infer ‘passive’ consent from inaction. Under the GDPR, only ‘active’ consent will suffice, such as the individual ticking a box.
Where a business processes somebody’s data for multiple purposes, it will need to be able to show consent for each purpose. So if a business wants, for example, to mailshot its customers to offer a new service offering, share customer details with third party partners, or allow third parties (such as web hosting, IT and payroll providers) to process the data, then clear consent for each use will be needed.
Data subjects will have the right at any time to withdraw consent, wholly or partly, so businesses will need to ensure they have adequate technology and processes in place to cope with all the consent permutations.
The Government has reiterated that after Brexit the UK will implement the GDPR to allow unimpeded data flows and support free trade with the EU – not least the three million tonnes a year of waste material that we send to other member states.
The GDPR adopts a risk-based approach to compliance, under which businesses bear responsibility for assessing the degree of risk that their processing activities pose to individuals. For example, high-risk areas might include the chance of credit card details being hacked or sensitive information about an employee being used to bully or blackmail them. Businesses will also be required to conduct a mandatory privacy impact assessment before implementing any new technologies.
Companies should create awareness of the new regulations among management, as well as:
- Audit and document the personal data they hold
- Record where it came from and who it is shared with
- Review and document the legal basis for the types of processing they carry out
- Review privacy notices and contractual terms
- Put in place a compliance plan, including staff training, updating internal policies, processes and security protocols
- Develop response plans for data breaches and subject access requests
What is the new regulation?
Regulation (EU) 2016/679 was passed by the EU Parliament and Council in 2016. It covers protection of natural persons with regard to the processing of personal data and the free movement of such data.
It was designed to establish a single, pan-European law for data protection, meaning that companies simply deal with one law, not 28. This streamlining is estimated to save businesses around €2.3bn a year. The European Commission says the reform will stimulate economic growth by cutting costs and red tape for small and medium enterprises.
Businesses that are covered by the regulation will need to, among other things:
- Respond to information requests from individuals within one month and provide the information in a common, machine-readable format. Individuals will also have the right to request that businesses rectify, erase or block their personal data in certain circumstances – for example if they switch to a new provider or move to a new employer.
- Notify the Information Commissioner of data breaches within three days, unless it is unlikely to result in a risk to the individuals.
- Organisations employing more than 250 people will need to maintain detailed documentation recording their processing activities, and may be required to appoint a data protection officer to oversee their compliance.
Alex Zachary is an environment lawyer with BP Collins