The General Data Protection Regulation (“GDPR”) will become effective on 25 May 2018. The focus is accountability and privacy by design. Organisations will be expected to have appropriate technical, physical and organisational security in place to protect personal data.
Businesses processing personal data currently operate within the Data Protection Act 1998. As with many of our laws, this is based on EU law and has been updated with additional obligations for businesses. The additional obligations are found in the Regulation. The Government has confirmed that, regardless of Brexit, GDPR will come into effect in May 2018. It is vitally important that businesses keep up to date with their obligations in relation to data protection.
Key changes under GDPR are:
- Accountability and privacy by design. There are onerous accountability\obligations to demonstrate compliance which include maintaining certain records, conducting data protection, impact assessments for more risky processing and data protection by design and default. The Information Commissioner has recently indicated that accountability is a cornerstone of the Regulation.
- Data controllers are to designate a data protection officer (DPO) where processing is carried out by a public authority, the organisation’s core activities consist of regular and systematic monitoring of data subjects on a large scale or core activities consist of processing a large scale of special categories of data.
- Data processors are to have obligations for the first time.
- Changes to the rules of consent by data subjects to processing including more detailed requirements on fair processing notices and enhanced rights for data subjects.
- New obligation to notify the Information Commissioner of data breach.
On a practical level it is in a business’ interest to comply with GDPR. The threat of hacking and other forms of cybercrime increases daily. Implementing a data protection regime is an important part of managing the cyber risk which most, if not all, businesses now face. To start preparing your company for compliance, Cleaver Fulton Rankin’s Cyber Risk Unit provides tailored advice on data protection issues. We can help with the following;
- Understanding how data protection laws apply to your business
- Dealing with a data subject’s rights e.g. subject access request
- Data protection issues in the workplace
- Outsourcing and dealing with 3rd party service providers
- Marketing practices
- Data breach
Cleaver Fulton Rankin also provides the following services:
- Review of employment contracts and 3rd party service contracts
- Training and awareness sessions for all employees who have access to personal data
- Ad hoc advice on data protection issues