The new General Data Protection Regulation (GDPR) will come into effect on 25 May 2018, which is only a few months away! A lack of knowledge will not be deemed an acceptable excuse for not having safeguards in place.
With recent research suggesting that over 90% of firms are unprepared for the new data protection rules, here we seek to outline the requirements under the new GDPR.
The GDPR replaces the existing Data Protection Act (DPA) 1998, and governs how individuals’ personal data is managed. It applies to all businesses in the EU. Even though the UK will be leaving the EU, it will not affect the commencement of the GDPR, which is set to be placed into UK law post-Brexit.
The GDPR is needed due to developments in internet and cloud technologies. There are now many ways to collect and store personal data. New measures are therefore required to ensure personal data is kept safe, and is only kept for legitimate purposes. All businesses, small and large will be required to comply with the GDPR.
The key principles of the GDPR
There are a number of key areas that your clients need to be aware of based on the fundamental principles of the GDPR.
The new Regulation places a strong emphasis on accountability and transparency, and holds businesses accountable for safeguarding the collection, usage and storage of individuals’ personal data.
Businesses already compliant with the DPA will need to supply evidence of their compliance with the new GDPR. Firms are required to identify a lawful basis for processing clients’ personal data: this must be processed fairly and accurately, and be kept in a form which permits the identification of data subjects for no longer than is necessary.
Your clients may wish to ensure that their members of staff are aware of the new GDPR regulations, and that they provide them with thorough training ahead of the 25 May introduction date. Some businesses might choose to assign a Data Protection Officer – however, this will be a requirement in specific cases.
Making use of adequate procedures to prevent data breaches
Businesses are advised to make sure that they have detailed procedures in place to detect, report and investigate a personal data breach. Certain types of data breach will need to be reported to the Information Commissioner’s Office (ICO). Larger firms may wish to create new policies for their staff to follow in the event of a data breach, and ensure that these are communicated to their employees well in advance of the GDPR implementation date.
Penalties for non-compliance
Failing to prevent a data breach can result in fines of up to 4% of total annual worldwide revenue, or up to €20 million, whichever is the greater.
Further guidance in relation to complying with the GDPR requirements can be found on the ICO website.
Practice Track’s two-page factsheet provides an overview of the new Regulation, and includes information and advice to help your business clients comply with their new legal responsibilities. To find out more, or to place an order, please visit our website.