With GDPR in force next month, there’s little time left to get ready. If you’ve just come back from the moon (or have been burying your head in the sand hoping it all might go away) and haven’t thought about GDPR yet, read on:
- In a nutshell, GDPR is shorthand for the General Data Protection Regulation, new EU legislation which changes the way in which businesses must deal with personal data. It will apply in the UK (regardless of Brexit) and the rest of the EU as from 25 May 2018.
- It’s big, and it’ll take time to deal with, in other words, you need to get started as soon as you’ve finished reading this and block out your diary until it’s in hand. However, it does build on the principles in the Data Protection Act (the DPA) – so if you understand and have complied with those, you’ll be part of the way there.
- The Information Commissioner’s Office (the ICO) has loads of resources on GDPR. We’d recommend that you start by reading their “Guide to the General Protection Regulation” which is freely available on their website. It’s written in plain English and has downloadable templates you can use too.
- There are other resources and training available elsewhere, particularly regarding the first stages. HRC Law, for example, has produced a toolkit (available on its website here), which will help to give you a framework to start from.
- GDPR has teeth. Data controllers (which is much broader than it sounds and almost definitely includes your business) and processors who don’t comply could face substantial fines.
- In most ways, the GDPR is tougher than its predecessor legislation (which was implemented by the DPA in the UK). Legislators looked at the problem areas regarding how data was processed. As the world had moved quickly since the DPA came into force (what were you doing in 1998?), they also looked at whether and how data arising from new technologies should be caught and dealt (e.g. genetic or biometric data).
- One of the big changes in practical terms is the way in which the GDPR promotes accountability and governance with regards to holding and processing personal data. There’s much more focus on documenting what you do, and in making your data subjects (those whose data you hold and deal with) aware of this, and of their rights. Data subjects have new and strengthened rights under GDPR, so you’ll need processes in place to deal with these effectively.
- Thinking about (and documenting) the purpose for which you hold a particular type of data and the basis on which you are processing it, is key.
- There are some areas where the risks of non-compliance are greater, for example:
a. if you relied on “implied consent” as a ground for processing personal data in the past, you wouldn’t be able to do so under GDPR;
b. you will need to ensure that you have appropriate consent when marketing to individuals; and
c. you will also be required to do more in order to remain compliant if carrying out certain sorts of processing or dealing with certain sorts of data.
- HRC Law and other specialists would be happy to help with any aspect of GDPR – whether you need advice or more practical help. Please contact Graham on T: 0161 358 0545 or at E: firstname.lastname@example.org.
This article contains general overview information only. It does not constitute, and should not be relied upon as, legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter.