Q&A: General Data Protection Regulation
1. When will the new Regulation apply?
On 25th May 2018 all EU organisations will need to comply with the new Regulation.
Organisations outside of the EU but dealing with EU data will also have to comply with the GDPR.
2. What can organisations expect?
The Regulation contains many of the same principles found in the current Data Protection Act therefore for those organisations already compliant with the current law; they shall have a strong foundation to build on.
However the Regulation does represent a major step change in the face of significant advances in technology and the digital age. Therefore organisations should expect new features and procedures that will need to be incorporated into the running of their businesses.
Organisations must devote time and effort, and prepare appropriate resources to implement the changes under the GDPR.
3. Which concepts are going to impact organisations the most?
Some of the key changes to expect are:
- Accountability and Data Processors – data processors will have direct compliance obligations and shall be subject to penalties for the first time under the GDPR.
- Validly obtaining Consent – this will be harder to obtain due to the very high standard of consent required by the GDPR. Organisations will need to be able to demonstrate consent was validly obtained.
- Privacy Impact Assessments – organisations will need to perform data protection impact assessments (PIAs) before carrying out any processing that uses new technologies.
- Enhanced rights of Data Subjects – organisations will need to respect the enhanced rights of data subjects and act accordingly.
- Increased Enforcement Powers – fines under the GDPR will significantly increase and shall be based on a 2 tier regime.
4. What will organisations need to do?
- Appoint a person or team within the organisation to take responsibility for compliance with the GDPR.
- Identify what data is held by the organisation and why? On what legal basis is the organisation processing the data i.e. consent, contractual, legitimate interests? Where is the data stored and who has access to it?
- Review the organisation’s procedures, policies and privacy notices. Commercial agreements including those with suppliers and insurers should be reviewed to ensure the new obligations and potential risks are covered.
- Organisations should maintain detailed documentation in order to show paper trails relating to data processing activity and privacy impact assessments carried out.
5. How will Brexit affect Data Protection?
There are a lot of uncertainties surrounding Brexit. However it is likely that the UK will adopt a very similar or identical data protection policy to that of the GDPR.
6. Can Jacksons help?
Following on from our seminar ‘The New Data Protection Regime, Are You Ready?’ the Corporate and Commercial team shall be issuing a monthly newsletter during the countdown to May 2018, additional seminars will be held later in the year and the team can also undertake a full contract and policy review of organisations’ data protection procedures. For more information please contact Charlotte Alexander on [email protected] or 01642 356504.