Opinion

General Data Protection Regulation (GDPR)

28th August 2017

General Data Protection Regulation (GDPR)

The move by the Information Commissioners Office (“ICO”), the regulatory body for data protection, to fine 11 charities for the misuse of personal data, is a stark reminder to those processing personal data to take their obligations seriously and understand the vast number of changes coming into force next year to avoid similar penalties and damage to business reputation.

Penalties handed out to the charities, which included household names, totalled around £138,000. At present, the fines that the ICO is permitted to impose is limited to £500,000. Under the General Data Protection Regulation 2016 (“GDPR”), which comes into force next year, the maximum fine will be increased to four per cent of a business’s annual worldwide turnover or €20 million, whichever is higher.

However, it’s not just your organisation’s money that is at risk but also its reputation and the public’s trust.

What does this mean? The GDPR will come into force on 25th May 2018, despite Brexit, marking the biggest shake-up in data protection regulation for 20 years, since the Data Protection Act 1998.

So what can you do to prepare? There are a number of steps you can take now to ensure that you are ready. As a first step, we recommend a data protection audit is undertaken to understand how your business operates and processes personal data so that you can work out what is required and where changes will affect day-to-day activities. This includes activities such as fundraising, relationships with service users, marketing and outsourcing and compliance practices. Above all, it is crucial to establish where data is being processed and measures put into place, if required, to ensure that data transferred out of certain countries is permitted, particularly as the GDPR will apply to goods and services offered by businesses outside of the EU. Our commercial team would be pleased to assist you with this process or provide general data protection advice as you may require.

A further review of internal policies and procedures will help highlight if any changes are required. We strongly suggest that all existing supply/outsourcing agreements and data processing agreements are reviewed at the earliest opportunity, as documentation will be key to mitigate any potential fines.

Training and awareness is also extremely important to make sure everyone in your organisation fully understands the new requirements and extent of their obligations, particularly, as the deadline for subject access requests will be reduced and data controllers will only be permitted to charge a fee in certain circumstances.

One of the biggest changes we will see is in relation to obtaining consent from individuals to process their personal data, including marketing, as consent will need to be clear, concise, informed, unambiguous and given by means of clear affirmative action.

It is important to note that accountability is central to the GDPR. Data controllers will be required to notify the ICO within 72 hours if they become aware of a data protection breach and in certain circumstances, may need to inform the individuals who are affected by the breach.

In addition, for the first time data processers, and not just data controllers, will also have obligations under the new regulations and the age of consent for collecting an individual’s data will also rise from 13 to 16 years.

As stated, this is the biggest change we have seen to data protection regulation in decades, however there is plenty of time to act and get your organisation ready now. We would therefore strongly urge you to conduct a review of your organisation to understand if/how your organisation processes data, whether it processes any sensitive personal data, which will impose additional obligations on the organisation and establish and to ensure that data protection policies and procedures are documented and adhered to with initial and regular training carried out throughout your organisation.

If you would like to discuss any aspect of data protection in greater detail, please contact Katie Doyle or Peter Manford in our Commercial team who will be happy to assist.

 

Other news

Contact us

3 Waterfront Business Park
Brierley Hill
West Midlands, DY5 1LX

Email: law@higgsandsons.co.uk
Call Us: 0345 111 5050

Follow @HiggsandSons on Twitter  Join Higgs & Sons on Facebook  Join Higgs & Sons on LinkedIn

Newsletter

Keep up to date with all the latest here.