Complete our FREE GDPR Checklist today
Every business should know by now how to operate within the regulations of the DPA (Data Protection Act). I know what you’re thinking. This is all way too simple. If only the EU could come up with an even more complicated law on data protection that would really test us. Well, they have, the new ‘General Data Protection Regulation’ (GDPR). ‘Damn’, I hear you say, ‘we will miss out because we are leaving the EU’. Nope. First of all, the new law comes into effect in the UK in May 2018, before the 2 year period for Brexit ends. In addition, the law is consumer-friendly and is, therefore, unlikely to be unravelled by the Government. Finally, if we want to continue to trade as freely as possible with the EU this will undoubtedly be one of those laws we have to continue to comply with, especially given that our sites will be accessible by EU citizens.
So, you are not going to miss any of the fun of complying with GDPR. Essentially the new data protection regime moves the dial even further in favour of the User. Among many other changes here are some key elements you need to know before it comes into effect;
- Your business will need to implement technical and organisational measures, document processing activities and appoint a Data Protection Officer if it is a public authority or if the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.
- The GDPR applies to “personal data”, but GDPR’s definition of personal data is more detailed than the DPA. The new definition provides for a wide range of information to constitute personal data. This is to reflect the changes in technology and the way organisations can now collect information.
- Under GDPR, you will have an obligation to put in place organisational measures to show how you integrated data protection into your processing activities.
- This means that privacy in a service or product should be taken into account from the start of a product concept.
- Data subjects will have greater access to their data - you can no longer charge them £10 for that purpose.
- Data subjects will have a ‘right to be forgotten’ or a ‘right to erasure’ of their data.
- The regime around giving consent is tougher. Businesses will need to ensure that data subjects can withdraw their consent to their data being processed. Businesses must also ensure that consent is “explicit” for processing sensitive data. The onus will be on the business to show that the consent was given. Where personal data is processed for direct marketing the data subject will have a right to object. The right to object will have to be explicitly brought to their attention.
- Parental consent will be required for the processing of personal data of children under age 16. The Individual EU Member States may lower the age requiring parental consent to 13.
- Fines for major breaches of the GDPR could reach up to the higher of 4% of annual worldwide turnover and EUR20 million. Other infringements could attract a fine of up to the higher of 2% of annual worldwide turnover and EUR10m.
You will be laughing on the other side of your face if you have to pay a fine like that. Have you ever tried laughing on the other side of your face? It takes years of practice and can give you neck ache, so, best to avoid it - and avoid paying those fines too…