The General Data Protection Regulations (EU) 2016/679 (The GDPR) are to be implemented into UK law on the 25th May 2018. The regulations will have direct effect in UK law from that date.
The GDPR is designed to enable individuals to better control their personal data and will allow for a single set of rules to govern this area. The aim is to make it cheaper and easier for business to be carried out across the EU. The regulations will affect any business holding personal data on customers, prospects or employees based within the EU.
So what is personal data?
This is defined in the regulations as any “information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier.”
There are a number of personal identifiers which could constitute personal data including including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
Data Protection Principles
Under the GDPR, the Data Protection Principles set out the main responsibilities for organisations.
Specifically Article 5 of the GDPR stipulates that personal data shall be:
In order to implement these principles organisations must have a Data Controller (which in most organisations will already be in place due to current data protection legislation.) The Controller must be able to exhibit compliance with these principles.
The Regulations also separates responsibilities and duties of data controllers and processors, stating that controllers should only engage those processors that provide “sufficient guarantees to implement appropriate technical and organisational measures” to meet the Regulation’s requirements whilst also protecting the subjects rights.
Many organisations have already adopted “GDPR friendly” policies. There is a risk of substantial penalties and fines for those who do not update their systems in time for the May 25th Deadline.
GDPR mandates that data protection officers report any data breach to the supervisory authority of personal data within 72 hours. They should advise of details of the nature of the breach, the categories and approximate number of individuals impacted, and the contact information of the data protection officer. Notification of the breach, the likely outcomes and how they organisation intend to remedy the breach must also be sent to the impacted customer as soon as possible.
The penalties for a data breach are substantial. If it is determined that there is a serious violation companies will be fined up to €20m or four percent of their global turnover – whichever is greater. Less serious violations will incur fines of two percent of global turnover.
It remains to be seen how the supervisory authority tasked with asking for these fines will work.
A study published by Close Brothers UK found that around 82 percent of the UK’s small and medium businesses were unaware of GDPR. This is an alarming thought! The above information is only a very small snapshot of the regulations. They are complex and difficult to understand. That is why it is vitally important for businesses to ensure that their data controller has a good understanding of the regulations prior to them coming into force.
Should you require further information please contact Sarah Lynch on 01698 373 365 or sl@pomphreyslawcom.