GDPR: With just under a year to go until the General Data Protection Regulation (GDPR) comes into force, now is the time to make sure your organisation is preparing for the biggest overhaul of EU data protection laws for 20 years.
The GDPR takes effect on 25 May 2018 and will continue to apply post-Brexit when existing EU laws are incorporated into UK law under the Great Repeal Bill.
However, a recent survey, carried out by Ipsos MORI and Brodies LLP, revealed a low level of awareness and readiness across businesses in Scotland, despite the risks of non-compliance.
Our survey found that 25% of businesses are not aware of the new legislation, and almost 50% have yet to start preparing for its introduction. These are surprising results[i], given the potential damage to business reputation and trust from non-compliance.
The GDPR introduces a number of key changes to data protection law:
- Consent – the requirements for consent are tightened so that ‘clear affirmative action’ will be required for consent to be established. Pre-ticked boxes will no longer be allowed.
- Transparency – organisations must provide more information to individuals at the point of data collection to explain how it will be used, the legal basis upon which it is being processed, and how long it will be retained.
- Lawful processing – new rules on processing for new purposes. Public sector organisations will no longer be able to rely on the ‘legitimate interests’ condition.
- Access – the rules allowing individuals to access their personal data and to obtain information about how that data is being used are being strengthened. New rights will enable a right of erasure and a right for data portability.
- Privacy by design and default, and privacy impact assessments – organisations are obliged to ‘hardwire’ privacy considerations into their day-to-day operations and projects.
- Breach notifications – there are express statutory obligations to notify privacy regulators and affected individuals in the event of a data privacy breach where there is risk of harm to individuals.
- Accountability – organisations must be able to demonstrate to privacy regulators that they are complying with the GDPR on an ongoing basis.
- Sanctions – the maximum fines that can be imposed for serious contraventions are €20m (or 4% of total worldwide turnover for businesses). Lesser contraventions also carry hefty fines.
What should I be doing?
The GDPR will require all organisations to review how they handle personal data. That includes internal policies and procedures, privacy notices, technology and contractual relationships.
Whilst we are still awaiting regulatory guidance on a number of key areas, there are some basic steps that you can take now to prepare:
- Plan your approach and ensure you have sufficient resources;
- Carry out an information audit to identify what personal data you hold, where you hold it, where it comes from, and what you do with it;
- Review what data you hold and decide whether you still need it. If not, delete it;
- Ensure that any new technology is GDPR-compliant;
- Futureproof any contracts that you enter into that are expected to continue beyond May 2018.
We can support your GDPR preparations by providing you with step-by-step advice on the GDPR and associated regulatory guidance. To find out more and to download our handy guides to the GDPR, visit our GDPR hub.