What does GDPR stand for?
GDPR stands for the General Data Protection Regulation. It will replace the existing data protection regulations in the European Union, and will be brought into domestic law via the incoming Data Protection Bill, which is currently passing through the parliamentary approval process.
The aim of GDPR is to clarify the law in the area of data protection, and bring the laws protecting individual’s data and rights into the current digital age.
When will GDPR apply to my business?
The Regulation will come into force on the 25 May 2018, following a two-year transition period, which began in April 2016. The GDPR will apply to the UK, and we will still be part of the European Union at its commencement date. Looking to the future, the UK Government has drafted a bill on data protection, which is currently in Parliament. Once approved, it will replace the Data Protection Act 1998, and bring GDPR principles into domestic law so that the regulation will apply irrespective of Brexit.
Who will be affected by GDPR?
GDPR applies to any organisation that holds and processes personal data of individuals residing in the EU, whether or not the company itself is based in the EU. GDPR will apply to SME’s.
What constitutes ‘personal data’?
Personal data is any information which can be used to directly or indirectly identify a person or ‘data subject’.
This includes name, address, date of birth, IP address, sex, race, bank details, medical information and photographs to give just a few examples.
It is also important to note that parental consent will be required for processing of the personal data of those under 16.
Does every organisation have to appoint a Data Protection Officer (DPO)?
In short, no. A DPO must be appointed if an organisation:
- Is a public authority,
- Carry out large scale systematic monitoring, or
- Carry out large scale processing of sensitive personal data.
However, even if your organisation is not strictly required to appoint a DPO under the above, it is highly advisable to appoint an individual who assumes responsibility for the obligations of the organisation in respect of data protection.
What are my obligations under GDPR?
There are many obligations on organisations under GDPR and this is something that you should seek tailored, individual advice on.
However, to summarise, the rights of individuals’ have been significantly reinforced and include new principles such as more extensive requirements in respect of consent to data processing, a new ‘right to be forgotten’ and enhanced transparency on data processing.
In terms of accountability, penalties for breaches have been significantly increased, with a new maximum fine of £17 million, or 4% of gross turnover.
The new Data Protection Bill will bring a number of other amendments into domestic data protection law, and you should ensure that you monitor its progress and what implications it will have on how you carry out your business.
What should we do if there is a Data Breach? Will we automatically be fined?
Every organisation should implement a detailed Data Protection Policy prior to the commencement of GDPR and the new Data Protection Act. In the event of a breach, it is vital to act quickly to mitigate any failures. Under GDPR, you will have 72 hours to record a data breach with the relevant authorities and additional fines will be levied on those who do not comply with this requirement.
You should also report any breaches to any professional bodies which your organisation is a member of. The procedures for reporting breaches should be detailed in your Data Protection Policy.
Companies will not be automatically fined for breaches, and fines and penalties will be issued on a case by case basis. However, when the new legislation comes into force, the relevant authorities may well seek to make examples of those organisations which have permitted data breaches by issuing harsher penalties and fines.
Are there any exemptions from compliance with GDPR?
GDPR permits Member States to provide for exemptions or derogations in certain circumstances. The forthcoming Data Protection Bill will provide for any exemptions applicable to organisations within the UK.
The Bill is still in the process of being approved and is subject to amendments, but based on the current version, there are a number of exemptions which are similar to those in the Data Protection Act 1998.
The proposed exemptions include data processed for the following:
- Crime, Prosecution and Regulatory purposes,
- Immigration Control,
- Legal Proceedings and Legal Privilege,
- Journalist purposes, and
- Taxation purposes
If you think your organisation may be subject to any exemptions, you should seek legal advice on the extent of the exemption and your obligations.
The exemptions are not from GDPR in its entirety, but rather from specific requirements under GDPR.
For more information regarding GDPR compliance and requisite policies please contact us on: firstname.lastname@example.org