Changes to General Data Protection Regulation (GDPR) mean that businesses are now paying extra attention to the way that personal information is handled, and want to understand how to comply with the coming laws.
Fraser Brown Solicitors will be hosting a GDPR Round Table event on November 2nd 2017 in conjunction with DataBasix, to help businesses prepare for May 2018 when the new legislation comes into effect.
If the coming changes will affect your business communications, we welcome your interest, and invite you to join us in breaking down “The Business of Data”. Data Protection specialist and co-founder of Databasix, Kellie Peters, will be speaking at the Round Table event. Kellie will be joined by Fiona Boswell, Head of Commercial Services at Fraser Brown Solicitors.
Fiona is passionate about helping businesses implement contracts, policies and strategies that help them comply with the new GDPR, and provides valuable insight into what the changes can mean.
The Data Protection Act 1998 came into force on 1 March 2000 and significantly altered the data landscape for businesses. It recognised the value of data to businesses and imposed systems, procedures and restraints on how key data sets could be used by businesses. These measures were fairly robust but in the last 15 years the influx of technology has significantly altered the way that businesses i) collect; ii) store and iii) use customer data resulting in further changes on the horizon to harmonize laws and practices across Europe.
1. What are the new laws?
In order to deal with these advances, Europe has introduced a clearer, more consistent approach by each member state to data protection issues with the General Data Protection Regulation (GDPR).
The GDPR became law on 25 May 2016 and will become effective on 25 May 2018. The GDPR will have significant effects on businesses using the data of individuals living in Europe. The UK Government has also recently started the process of implementing these changes into English law by issuing the Data Protection Bill.
Whilst the concept of personal data, data controllers and data processors will remain largely unchanged, other significant changes are made.
2. What are the key changes?
Greater Control for Individuals
The new GDPR provides individuals with more control over the way in which their data is used. At present businesses have been able to rely on the implied consent of individuals to use their data however, the new GDPR will require businesses to obtain specific, informed, unambiguous consent from individuals to use their personal data for any purposes.
Risk Assessments and Data Protection Officer
Businesses will also have to carry out data protection risk assessments. This will apply to both data processors e.g. businesses that cleanse data or marketing agencies, as well as data controllers, namely the business that collects the data from the customer.
Businesses will be required to maintain detailed records regarding their processing activities and all businesses will be required to appoint a data protection officer.
Breaches and Penalties
Businesses will be required to notify the DPA regarding any breaches immediately or without undue delay and there will be increased enforcement powers for a breach of data protection legislation.
The current position in the UK imposes a maximum fine of £500,000 however the new laws increase this to a maximum fine of up to €20 million or 4% of a business’s annual global turnover, whichever is the higher. For franchise operators that are part of global networks these fines could therefore be really quite significant.
Third party processors such as marketing agencies and data cleansing organisations are not currently caught by the fines or penalties for breaches however, under the new GDPR the penalties will apply to data processors as well as data controllers.
Right to be forgotten
In addition to individuals having increased control over their data, individuals will also now have the ‘right to be forgotten’. Essentially, individuals will be able to request that their personal data is deleted.
In terms of businesses who analyse data for marketing purposes, this may become more difficult as individuals will have the right not to be subject to profiling.
With all of these changes imminent and the potential penalties for failing to comply, it is essential that all businesses who are involved in data control or processing take a proactive approach.
3. When will these changes come in?
Businesses will have a bedding in period until 25 May 2018 to get their house in order which is not long considering the mountains of data that most businesses process and use these days.
4. What can I do to prepare for these changes?
- Take proactive steps to build in data compliance policies throughout your business now. It is key that staff at all levels understand the company policy on the business of data.
- Overhaul processes to comply with the new rules. Maintain customer confidence in your brand by adopting clear and transparent data collation policies that are reflected wherever your business interacts with its customers – e.g. in bricks and mortar outlets across the network, on websites and social media.
- Ask permission – most customers will welcome interacting with you – especially if you are providing valuable information to them. Flag the benefits of engagement – whether with offers, discounts, priority, or just continued added value service.
- Back to back your exposure in contracts with your data processor suppliers. Get assurances that appropriate consent has been obtained if supplied or supplying customer data lists.
Word to the Wise
These changes are coming in and savvy businesses need to take a proactive approach to their use, storage and retention of personal and staff data by implementing consent systems and strategies to manage customer data in compliance with these new regulations now rather than later.
Fraser Brown in conjunction with Databasix will be hosting a GDPR Roundtable at its offices on Tuesday, 2 November which will discuss these new laws and the practical steps your businesses should take to comply. If you would be interested in more information please don’t hesitate to email me firstname.lastname@example.org, or alternatively call 0115 9888 777 to speak to our team.
Whilst every effort has been made to ensure the accuracy of this article, it does not provide complete coverage of the subjects referred to, and it is not a substitute for professional legal advice and should not be relied upon as such.
© Fraser Brown 2017