How Will the GDPR Affect me and my Business?

If your business processes or handles any form of personal data you’ve probably heard of the GDPR, the upcoming change in data protection regulations. You also may have heard scare stories about potential fines running to £millions, but may not be sure about how the change affects you.

The first thing you should know is that the GDPR is already law and has been for almost two years, but its enforcement doesn’t begin until 25th May 2018. You should also be aware that the large fines are real – breaching the GDPR can bring fines up to £17,600,000 – or 4% of your global turnover, whichever is higher.

What Are the Main Changes?

Some of the changes under the GDPR are more significant than others, but the biggest changes are that individuals’ rights and transparency requirements have been significantly expanded. You should certainly be aware of the following points, but understand this is not an exhaustive list. The regulation document is eleven chapters long and spread over 88 pages, and is therefore not easily digestible into a short article!

• People whose data is being collected (Data Subjects) will have to actively and unambiguously agree to have their data collected and shared. Those who hold or process the data (Data Controllers) can no longer assume consent if someone hasn’t requested that their data not be shared – and consent must be as easy to withdraw as to give.
• Transparency is important; people handling data must be able to show that consent has been given, and the Data Subjects must also be able to request and receive their data in a “structured, commonly-used and machine-readable format” free of charge.
• Privacy policies have to be in plain English, as short as possible, and will need to lay out the subjects’ rights, why the data is being collected, and how long it will be held for.
• Companies and businesses will need to have a reason for collecting and holding data – simply being transparent about the data they hold is not sufficient.
• If a data breach occurs, controllers will be required to report this to the supervisory authority within 72 hours and to notify the Data Subject without undue delay.

Will Brexit Affect the GDPR?

This is extremely unlikely, as the UK government intends to bring post-Brexit privacy laws in line with the GDPR – and any company that processes the data of EU citizens will still be bound by the regulations even after we leave.

Is This Different to the Data Protection Act?

It is and it isn’t! Many areas covered by the GDPR are also included in the DPA, but the transparency requirements are more stringent – and the rights of Data Subjects have been increased. All companies outside the EU who hold data on EU citizens also have to conform to the GDPR.

How Does My Business Ensure It Complies With the GDPR?

Companies and individuals processing data must take ‘reasonable steps’ to conform to the GDPR. Breaches of the new rules will be treated more leniently if the Data Controller can show they have tried to implement these regulations.

At Fraser Dawbarns LLP we strongly recommend that anyone responsible for processing other people’s data consults a Solicitor or GDPR specialist for help with compliance, leaving sufficient time to achieve this before May 25th.