The General Data Protection Regulations (EU) 2016/679 (The GDPR) are to be implemented into UK law on the 25th May 2018. The regulations will have direct effect in UK law from that date.
The GDPR is designed to enable individuals to better control their personal data and will allow for a single set of rules to govern this area. The aim is to make it cheaper and easier for business to be carried out across the EU. The regulations will affect any business holding personal data on customers, prospects or employees based within the EU.
So what is personal data?
This is defined in the regulations as any “information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier.”
There are a number of personal identifiers which could constitute personal data including including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
Data Protection Principles
Under the GDPR, the Data Protection Principles set out the main responsibilities for organisations.
Specifically Article 5 of the GDPR stipulates that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
In order to implement these principles organisations must have a Data Controller (which in most organisations will already be in place due to current data protection legislation.) The Controller must be able to exhibit compliance with these principles.
The Regulations also separates responsibilities and duties of data controllers and processors, stating that controllers should only engage those processors that provide “sufficient guarantees to implement appropriate technical and organisational measures” to meet the Regulation’s requirements whilst also protecting the subjects rights.
Many organisations have already adopted “GDPR friendly” policies. There is a risk of substantial penalties and fines for those who do not update their systems in time for the May 25th Deadline.
GDPR mandates that data protection officers report any data breach to the supervisory authority of personal data within 72 hours. They should advise of details of the nature of the breach, the categories and approximate number of individuals impacted, and the contact information of the data protection officer. Notification of the breach, the likely outcomes and how they organisation intend to remedy the breach must also be sent to the impacted customer as soon as possible.
The penalties for a data breach are substantial. If it is determined that there is a serious violation companies will be fined up to €20m or four percent of their global turnover – whichever is greater. Less serious violations will incur fines of two percent of global turnover.
It remains to be seen how the supervisory authority tasked with asking for these fines will work.
A study published by Close Brothers UK found that around 82 percent of the UK’s small and medium businesses were unaware of GDPR. This is an alarming thought! The above information is only a very small snapshot of the regulations. They are complex and difficult to understand. That is why it is vitally important for businesses to ensure that their data controller has a good understanding of the regulations prior to them coming into force.
Should you require further information please contact Sarah Lynch on 01698 373 365 or sl@pomphreyslawcom.