At sea with the GDPR
In April 2016, the European Union finally passed a dry, but important, piece of legislation, the General Data Protection Regulation (GDPR). EU member states were given a two-year period to implement it into their own national law, writes Adam Bernstein.
Despite the move towards Brexit, the UK will be implementing the GDPR and it will continue to have effect through a new Data Protection bill that is currently wending its way through Parliament. The UK will be fully compliant from May 25 2018 and all businesses, irrespective of size, need to plan for the new changes.
Personal data is defined as anything relating to a person who can be identified directly or indirectly. Numerous surveys over the summer of 2017 have suggested that firms will have difficulty in complying with the GDPR unless they make significant changes to how they operate. It makes no odds how small a company is or how much data it holds; so long as data can identify an individual the GDPR will apply. The rules – under the present Data Protection Act and the GDPR – also apply to structured paper records. If records are searchable, they’re caught by the legislation.
The GDPR markedly changes the enforcement and penalty landscape. The Information Commissioner’s Office (ICO) can presently levy fines of up to £500,000 under the Data Protection Act. The GDPR raises that to a maximum of 4% of global turnover or 20m euros – whichever is higher.
Those holding data have to ensure that data is securely kept and that staff are briefed on the law. More importantly, holders of personal data will have to design safeguards into their systems which need to be appropriate and in proportion to the degree of risk associated with the data held.
A fundamental tenet of the GDPR revolves around the need to require consent to be given by an individual whose data is held. Consent is specifically defined by the GDPR and means ‘any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed’. Firms need to be able to show how and when consent was obtained. It cannot be obtained through pre-ticked boxes and nor can it be bundled with other matters such as an employment or contract. Individuals can withdraw their consent at any time and have a right to be forgotten.
When collecting data, it’s a requirement of the GDPR that the individual is told about the identity and contact details of the data-gathering business; the purpose of acquiring the data and how it will be used; whether the data will be transferred outside of the EU and EEA; how long the data will be stored for; their right to access, correct or have the data held erased; the right to withdraw consents previously given at any time and the right to lodge a complaint.
Importantly, the GDPR demands that individuals must be told how their data is processed in a clear and understandable way. Individuals can make requests to see their data, and these must be fulfilled ‘without undue delay and at the latest within one month of receipt of the request’.
Another change brought in by the GDPR requires companies to report any breaches of security. Where the breach involves personal data, companies must notify the appropriate authority, most likely the ICO no later than 72 hours after having become aware of it. This could, if a breach occurs on a Friday, mean working through the weekend.
The GDPR is not going away and Brexit is not going to save a business from complying with its requirements. Time spent on the ICO’s website (https://ico.org.uk) will be time well spent.
Latest Press Releases
Lithium-ion battery expert Dr John Warner is presenting at the NEXT GENERATION Marine Power & Propul... Read more
Hosting four regional trade shows over seven days and covering nearly 1,400 miles is not for the fei... Read more
SMG are delighted to be launching SMG Meet The Manufacturers 2018. This Trade Only event for the Mar... Read more
February 2018 Fareham UK - Mercator Media Ltd, the international, market-leading B2B marine media bu... Read more