04-04-18

Never Mind the Bollocks – Here’s the GDPR By now surely everyone in the UK has heard or seen something about the General Data Protection Regulations (the “GDPR”) coming into force on 25th May – though it seems that an understanding of what is actually needed for compliance may be in short supply. In brief: the new GDPR is very much like the old DPA but with enhanced requirements, a shifted focus and, crucially, dramatically-increased penalties for non-compliance.
 
”Consent” remains a key feature of the GDPR but is no longer an all-purpose tool. The new law puts strong emphasis on balancing the “legitimate interests” of the data user against the interests of the data giver. With few exceptions, organisations must now ensure that each “Data Subject” either explicitly consents to the use of his/her data or is not unfairly treated by use made without express consent. When relying on consent, an organisation must obtain an unambiguous and freely-given “opt in” to a Privacy Policy which is easily-accessible, clear and concise (i.e. no more vague fluff like “we really value and respect your privacy”).
 
Additionally, the GDPR strengthens the requirements to honour “Subject Access Requests” (the right for individuals to access data about them), to appoint a DPO or DPR (Data Protection Officer or Representative), to strengthen contracts with data processors, and to ensure that any transfer of Personal Data out of the EU is subject to minimum enforceable standards.
 
Any breach of the GDPR brings the spectre of having to immediately notify the authorities and the affected Data Subjects – and the potential fines now reach to the greater of €20m or 4% of global turnover.
 
Every company that stores and/or processes Personal Data about individuals in the EU (including even a company without physical presence in the EU) needs to take at least some basic steps toward compliance by (or soon after) 25 May 2018, including:
·          undertake a “data audit” of all stored electronic and physical data, to confirm source, type, age, accuracy and a lawful basis for use;
·          consider deleting data which may be outdated, inaccurate or irrelevant, or for which adequate consent was not obtained or a balance of interests cannot be evidenced;
·          ensure data security practices are appropriate and proportionate;
·          adopt procedures for dealing with ongoing compliance, Subject Access Requests, and potential data breaches/hacks which may occur in future; and
·          demonstrate an internal culture of “privacy by design and default” by documenting progress toward full GDPR compliance.
 
Europe has radically upped the stakes for Data Protection and now nearly everyone must raise their game to meet this new challenge.
Article by Tom Frederikse