At Finnies we can advise firms on a wide range of business issues. Here we consider the new rules on data protection.
The new General Data Protection Regulation (GDPR) is set to come into effect on 25 May 2018, placing additional obligations on businesses in regard to the safeguarding of personal data.
The GDPR requires all organisations that deal with individuals living in an EU member state to fully protect the personal information belonging to those individuals, and to have documented proof of such protection. The UK's decision to leave the EU will not affect the introduction of the legislation in the UK.
The new regulations require a consistent and transparent approach to data processing, and the financial penalties for failing to comply are severe - with fines of up to €20m or up to 4% of total annual worldwide turnover.
While the principles of the new GDPR are broadly similar to the existing Data Protection Act (DPA), there are some key changes placing additional obligations on businesses.
The GDPR places a new emphasis on accountability and transparency when it comes to dealing with personal data. While businesses may already be compliant with many of the regulations as covered under the DPA, they will be required to provide documentary evidence of their compliance with the GDPR.
Specifically, the new rules state that businesses must be accountable for their data usage, and must identify a lawful basis for processing personal data.
The GDPR specifies that personal data must be:
The GDPR builds on the existing rights and principles for individuals under the DPA, as well as introducing some additional rights. Some of the key rights under the GDPR include:
The new law places particular emphasis on the issue of consent, stating that an indication of consent must be specific, unambiguous and freely given. Positive consent cannot be assumed from inaction, such as failing to click an online 'unsubscribe' box, or from the use of pre-ticked boxes. Businesses also need to make sure that they capture the date, time, method and the actual wording used to gain consent, so it is important to ensure that your business has the means to record and document such information.
Additional obligations apply to certain organisations and those with more than 250 employees.
Businesses should take steps now to make sure they are ready for the new legislation. Some of the main areas for action might include:
Further information and guidance can be found on the Information Commissioner's Office website: www.ico.org.uk.
If you would like advice on a range of planning matters, please get in touch.
Connect with us