Kirsty Shimmins, Trainee Solicitor in the Corporate Commercial team, reminds businesses of important upcoming changes to UK data protection law.
UK businesses need to ensure that they are compliant with the General Data Protection Regulations ((EU) 2016/679) (GDPR) from 25 May 2018.
The GDPR will govern the processing of an individual's personal data, including its collection, storage, use of, disclosure and destruction. The GDPR will replace the Data Protection Act 1998 (DPA) and whilst there are similarities there are important new principles of which businesses must be aware.
The Information Commissioner's office (ICO) has issued guidelines for businesses to plan their approach to GDPR compliance before the implementation date, which are summarised below:-
- Awareness - Key individuals in the business should be aware that the law is changing and of the likely impact this will have on the business.
- Maintaining Records - The GDPR requires businesses to maintain records of their processing activities. Records should document what personal data is held, where it came from and who it is shared with.
- Privacy Notices - Businesses should review their privacy notices as these will need to comply with the GDPR. Notices will need to identify how the business intends to use the personal data and explain the lawful basis for processing personal data, amongst other things.
- Policies and Procedures - Businesses should check, and if necessary update, their procedures to ensure that they include all the rights individuals have in respect of their personal data, i.e. an individual's right of access, right to object and right of deletion.
- Consent - Businesses should ensure that consent sought from individuals to process their data, meets the GDPR standard. This is a higher standard than under the DPA. GDPR standards require consent to be specific, clear, properly documented and easily withdrawn. In particular, individuals must actively opt in to give their consent.
- Personal Data Breaches - Businesses will be under a duty to report specific types of data breaches to the ICO. As such, businesses should ensure that procedures are in place to detect, report and investigate a personal data breach.
- Data Protection Officers - Some businesses will be required by the GDPR to formally designate a Data Protection Officer (DPO). DPOs will be responsible for data protection compliance and to inform and advise the business and its employees about their obligations under the GDPR.
Compliance with the GDPR is likely to require organisation-wide changes for many businesses to ensure that personal data is processed in compliance with the GDPR. It is important that businesses assess their approach towards data protection as soon as possible to ensure that they are compliant before the implementation date.
If you would like any additional information on GDPR compliance and how it will affect your business then please contact the Corporate Commercial team on 01277 268 368.