The upcoming General Data Protection Regulation (GDPR) is making the biggest change to data privacy law since many years. All organisations which hold or process personal information need to comply from 25 May 2018. Kim Walker, intellectual property lawyer, runs us through what will change, what this means for your business and how to get ready.
Data protection laws have always been designed to protect people’s privacy while deriving the benefits for business and public bodies of a data-rich society. However, with the amounts of data flowing in the digital age, the current regime is no longer fit for purpose.
Increased connectivity and the growth of digital services and social media mean people are widely sharing their personal information with multiple organisations and companies.
High-profile data breaches across the corporate world have shown the need to tighten data security. Increased individual concerns over what businesses are doing with private information have also grown.
On 25 May 2018, a new European-wide regulation – known as GDPR – will come into force. This will see the law get stricter on the collection and handling of personal data.
GDPR concerns all businesses
Businesses and/or organisations operating in the EU, which hold data (including expressions of opinion and intention) about identifiable individual customers, suppliers and employees, will be covered by the new GDPR.
In practice, this means every EU business and organisation.
Even businesses fully complying with the existing data protection laws, should be taking steps to actively ensure they will remain compliant.
What does the new GDPR change
In a nutshell, the new GDPR gives individuals more control over their own data. The main changes with potential impact for small businesses are:
- The new principle of accountability: The new rules will require businesses not just to comply with the law but, under the new principle of accountability, to have processes, documentation and policies in place for this. These will have to be understandable for all staff. This also means companies will need to keep records that show how they comply.
- Justification for data usage: All businesses will have to be able to demonstrate and document the legal basis, which justifies holding, sharing and using any personal data for the purpose of their business.
- New requirements for consent: If a business relies on the customer's consent as justification for its use – e.g. for marketing purposes – such consent must now be compliant with the stricter requirements of the GDPR. This means consent must be freely given by the user by affirmative action (e.g. opt-in). It must be specific and unambiguous and possible of being easily withdrawn. Detailed records of the consent given and its scope and date must also be held. And yes, this may well mean going back to customers now to get new, compliant consents which can be relied upon after 25 May.
- Stricter enforcement: There will be an increased focus on enforcement and maximum fines of EUR 20 million or 4% of the company’s global turnover, whichever is the higher.
- The right to be forgotten: Individuals will have new rights, including the right to be forgotten and/or to object to being profiled. Individuals will also need to receive an electronic copy of all data they have provided to companies. Data subject rights requests will become free of charge – this is likely to mean such requests will increase in number and frequency. Businesses will need to know where all personal data is held in their (and their staff’s) systems. In some cases, changes to current IT systems and data storing processes will be necessary.
- Outsourced services will be liable: For the first time, businesses which process data on behalf of other businesses will be directly liable for the way in which they handle the data entrusted to them, as well as the personal data they hold on their own account. These include outsourced service providers such as payroll providers, IT hosting companies, marketing businesses, etc.
Five steps to get GDPR-ready
It is highly likely that every business will need to make changes to how it handles and looks after personal data. Here are five practical steps you can take now:
- Get buy-in from the management that action is required.
- Conduct a full data audit. This should provide you with a clear picture of the kinds of data your business holds, where the data is stored, how it is collected and with whom it is shared.
- Analyse any gaps in compliance and plan the corresponding rectification actions.
- Get your team trained and on board: they should be able to spot possible risks or gaps in compliance.
- Start now! Rectification actions can take time and budget to implement and may include:
- new and updated policies and data collection notice
- altering systems and databases to adjust access rights or to record details of consent
- deleting unnecessary or inaccurate data
- imposing encryption and anonymising data you already hold
- training staff
- making risk assessments
Benefits for businesses
The new rules will facilitate business by simplifying rules for companies operating in the EU digital single market. By having a single law, this will also do away with the fragmentation and costly administrative burden.
Increased publicity about the new GDPR in recent months means that customers and employees are likely to be much more aware of their rights. Compliant businesses may enjoy a potential competitive advantage: customers will likely recognise a business that looks after their data properly and respects their rights.
GDPR compliance means more than just putting in place processes, policies and systems so complaints from individuals can be avoided: it means embedding a culture of respect for data privacy throughout the entire business.
All this can take time and budget. Our suggestion is to start immediately.
The Enterprise Europe Network has business advisers working on intellectual property and data protection in the EU and beyond. Reach out to your local contact point to learn more about support for your business.
Read in detail about the new GDPR in all 24 EU languages.
About the author
Kim Walker is a Partner at Shakespeare Martineau LLP, in London. There, he is part of the commercial team, dealing with contractual and intellectual property matters across several business sectors. Kim also works with the Enterprise Europe Network partner, London Chamber of Commerce and Industry, to provide training and legal advice to small businesses on the new GDPR.