The General Data Protection Regulations – is your business ready?

On 25 May 2018 the General Data Protection Regulations (GDPR) are coming into force across the EU and will change the way that businesses collect, manage and display data.

Regardless of Brexit, the GDPR will still affect businesses in the UK.

Whilst many aspects of data protection law will remain the same, there will be some significant changes that your business should be prepared for.

Here are 8 key issues you should be aware of:

1) Penalties for breach will be substantially increased

Under the Data Protection Act, the maximum fine is £500,000.  Under the GDPR there will be two tiers of fines. Tier one is up to 2% of annual worldwide turnover of the preceding financial year or €10 million (whichever is greater) for violations relating to internal record keeping, data processing contracts, data security. Tier two is up to 4% of annual worldwide turnover of the preceding financial year or €20 million  (whichever is higher) for violations in relation to breaches of the data protection principles, conditions for consent, data subject rights and international data transfers.

2) Consent from individuals will be harder to obtain

Consent will need to be given by individuals by way of clear affirmative action establishing freely given, specific, informed and unambiguous agreement to the processing of personal data. This can be done by a written, electronic or oral statement of the individual. Businesses that rely on consent for the use of personal data will have to review how they obtain it; mere acquiescence such as pre-ticked boxes, silence and inactivity will no longer be enough.  Businesses should re-visit and revise where required documents such as their terms of business and privacy policies.

3) Focus on risk assessments

The GDPR focuses on “privacy by design” and businesses should carry out risk assessments to inform their internal processes and procedures.  In some cases, for example, businesses operating in “high risk” situations (e.g. those involved in profiling, or deploying new technologies), it will be necessary to conduct a privacy impact assessment, guidance in respect of which is available from the ICO. 


4) Appointment of Data Protection Officers (DPOs)

Certain businesses (including public authorities) must also appoint a DPO, specifically those carrying out large scale monitoring of individuals and those dealing with certain categories of data. However, any business can choose to appoint a DPO and it would be considered best practice to do so.

5) Notification of a breach

Businesses will have to notify the National Data Protection Agency (in the UK, the Information Commissioner’s Office) of all data breaches without undue delay and, if possible, within 72 hours. A data breach response plan will need to be put in place to enable the business to react promptly.  Businesses will need to ensure they have appropriate policies in place to identify and respond to any data breach quickly. 

6) The ‘right to be forgotten’

Individuals will have the right to request that businesses delete their personal data in certain circumstances. Businesses should ensure they have a procedure in place to deal with a request for information to be deleted. Businesses will need to revisit their existing systems – how easily can data be deleted? Is there sufficient internal resource to deal with requests? If certain information must be retained for regulatory reasons, a business should ensure this is reflected in its privacy policy.

7) The right to object to profiling

An individual may, in some circumstances, exercise the right to object to profiling – this can include online tracking and behavioural advertising. How this will affect a business depends on how often it engages in profiling activities. If a business uses profiling regularly, it will need to consider how best to implement appropriate consent mechanisms.

8) Changes to Subject Access Requests

Under the GDPR, businesses will no longer be able to charge individuals in relation to dealing with SARs.  The time for responding to a SAR is also reducing from 40 days to just a month. 

The GDPR will introduce some substantial changes by creating harmonisation across the EU and addressing technological developments. Big organisational change may be required by many businesses to ensure compliance. Businesses may also need to amend their contracts with third parties (e.g. IT suppliers), redesign data processing systems and update their privacy policies.  The GDPR also affects the movement of data, in particular relating to data transfers out of the UK and the EEA.

Given the significant penalties for non-compliance with the GDPR, it is crucial that businesses start thinking about the changes now before they come into force on 25 May 2018.

If you would like more information on data protection or the GDPR, please contact our Data Protection team.