The new General Data Protection Regulations (replacing the Data Protection Act) become law on 25th May 2018.
This article contains general information about the new General Data Protection Regulations 2018. It was accurate at the time of publication. Nothing in this article constitutes legal advice and it should not be treated as such. We recommend that you seek appropriate legal counsel for your own situation.
The biggest change to our data protection laws for 20 years is looming on the horizon. It will affect every organisation, regardless of the size, type or industry. Are you ready?
The Data Protection Act (DPA) is now 20 years old. Think about it. 20 years ago, the internet was nowhere near as all-pervasive as it is now. 20 years ago, we picked up the phone to speak to someone rather than send an email. 20 years ago (for me us at least) we didn’t do most of our shopping online. 20 years ago, we weren’t asked to share our personal data with anyone when we wanted to buy something.
Why is the law changing?
GDPR will apply to every EU member state and aims to give control over personal data back to private citizens. According to the ICO (Information Commissioner’s Office), three-quarters of UK citizens don’t trust businesses to do the right thing with their emails, phone numbers, marketing preferences or bank details.
That’s a shocking indictment of UK industry, and a sign of just how much our everyday lives have changed.
If you run a business within the EU, you must be compliant with GDPR from Day One. It also affects any non-EU organisation doing business with EU citizens. There will be no phasing in, no cut-over period. And no excuses.
And before you ask, Brexit will have no impact on the implementation of this new legislation. Whatever happens before, during or after Brexit, GDPR will be here to stay.
Who does it apply to?
If in the course of your business you collect, process and store personal data on anyone for any reason – your customers, your employees, your suppliers – then GDPR will apply to you. From sole traders to large multi-national corporations, everyone must comply with the new rules.
The main changes revolve around the concepts of “consent”, “active agreement”, the “right to be forgotten”, and Subject Access Requests (SARs):-
• Consent: Organisations will be required to keep a thorough record of how and when an individual gives consent for them to store and use their personal data
• Consent will mean “active agreement” and not inferred e.g. from a pre-ticked box or inactivity/lack of response on the customer’s side
• “Right to be forgotten” – if an individual wants you to erase (i.e. not just archive or make inactive) all their personal data from your systems, you will have to comply, unless there is a lawful reason to keep some of the data (e.g. HMRC taxation rules)
• Subject Access Requests (SARs) – if an individual asks you to send them all the personal data you hold on them, this must be given free of charge (the current charge is £10) and be sent within 30 days (the current time limit is 45 days)
The ICO tells us that, according to their research, one in three UK businesses are not just unprepared for GDPR, they’ve never even heard of it! ICO’s research also reveals that 48% of UK citizens are planning on using their new GDPR rights, 15% in the first month!
We strongly recommend that, if you haven’t already, you make sure your business is fully up to speed and compliant with the new GDPR rules well before 25th May. The ICO has published some handy guides for businesses which you can access through the following links:-