GDPR preparations gain momentum
With just three months to go until the new General Data Protection Regulation (GDPR) comes into force, all businesses should now have started planning how they will comply with the stricter requirements for processing personal data.
When the GDPR comes into force on 25 May, data protection laws in the UK will undergo their biggest overhaul since the Data Protection Act 1998. The changes will also apply throughout the rest of the EU, as the GDPR is an EU regulation. However, the UK has already announced that it will continue to comply with the GDPR after Brexit.
Some of the key changes to be introduced are:
- The definition of “consenting” to the use of personal data has been narrowed, so that it will no longer be acceptable for individuals to give permission through pre-filled tick boxes, or by accepting a term that is hidden among other lengthy terms and conditions.
- Organisations must be open and transparent with individuals about how and why they intend to process their personal data.
- It will be compulsory for some businesses to appoint a Data Protection Officer to oversee their compliance with the GDPR.
- There will be new requirements to keep written records of decisions taken about the processing of personal data.
- The maximum fines for serious cases of non-compliance will increase to the higher of €20 million or 4% of an organisation’s turnover.
In practice, in order to comply with the GDPR, businesses will need to assess all of the personal data they hold (including marketing databases and details of current and former employees) to see whether they still have a valid basis for holding and processing it. If not, the data will need to be deleted if fresh consent cannot be obtained from each individual. Businesses should also review and amend their commercial and employment contracts and policies, or bring in new policies, ensure their staff are trained on how to handle personal data, and put systems in place for recording all decisions that are taken.