We all hold personal data about clients, suppliers, professional contacts, employees, and prospective clients (e.g names, addresses, telephone numbers and email addresses).
Our collection, use and storage of personal data has been regulated since 1998. But the world we live in today is very different to the world of 1998 and our data protection laws have struggled to keep up over the last five to ten years, particularly with advances in technology, social media, mobile devices and targeted advertising.
From 25th May 2018, our 1998 data protection law will be replaced by the EU General Data Protection Regulation 2016 (GDPR). Some similarities will remain but there will also be new and different requirements. The UK Government has confirmed that, despite Brexit, the GDPR will be implemented into UK law and it will either remain as is once we exit the EU, or remain but with some changes.
So what will the GDPR mean for businesses? Where do they need to start focusing their attention and when?
Although the GDPR isn’t yet in force and won’t be for another 15 months, businesses should not underestimate the extent of changes which they will need to make, the time it will take and the financial costs which are likely to be incurred. It is therefore important to start the process now.
Here are our top ten tips for businesses to kick start the transition process:
1. Ensure that your senior management team and key people within your business are aware that the law is changing – you’ll need their buy-in and support.
2. Establish a data protection working group to take responsibility for your transition from the old to the new - this should comprise senior representatives from all your business areas (e.g HR, IT, marketing, financial and legal) in all countries where you operate.
3. Designate someone within your business (or externally) to take responsibility for your data protection compliance and to oversee the data protection working group – they will need to understand the GDPR and your business.
4. Prepare a transition plan and start building a data management policy.
5. Identify what personal data you hold, how you obtained it, where it is held, how long you’ve held it for and who you share it with (again for all countries where you operate).
6. Review your current policies, procedures and systems to identify what areas need to change and how those changes will be implemented – this includes your procedures for handling data subject access requests and data breaches, as well as your privacy notices.
7. Review your policies and procedures to ensure they cover all the rights which individuals have (the GDPR gives some new and different rights), including how you would deal with requests to delete personal data, or requests to transfer personal data that they have provided to you to a third party in a structured, commonly used and machine readable format.
8. Familiarise yourself with the implications of ‘privacy by design and default’ and ‘data protection impact assessments’ – these will be essential tools for you to use to promote privacy and data protection compliance within your business.
9. Identify what contracts will be impacted and potentially need amending, including contracts which you have in place with your suppliers, customers and any data processors, as well as your employment contracts.
10. Identify if any of your non-EU based subsidiaries offer goods or services to individuals in the EU, or monitor behaviour of individuals in the EU - they will get caught by the GDPR and so will need to be part of the above.
It is not just the time, effort and resources that should prompt you to start the transition process now. It is the potential fines for non-compliance.
Depending on the type of breach, under the GDPR you could be liable for a fine ranging from the greater of €10m or 2% of your company’s total annual turnover, or for more serious breaches the greater of €20m or 4% of your company’s total annual turnover. We can help. Our DataPROTECT service will provide you with the expertise and experience you need to help you through the transition from our current data protection laws to the GDPR. We will also help you through the ten steps above and what you need to do as a result of the answers you uncover.
If you would like any further information on DataPROTECT and how we can help your business, please contact Lisa Downs for a free initial chat on ldowns@rawlisonbutler.com or 01293 558593.
This document is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a
result of the contents of this document.