You know that mildly irritating government advert on TV exhorting businesses not to ignore the work place pension? Well think of this as a mildly irritating article exhorting you not to continue to ignore the new General Data Protection Regulations (GDPR).
I doubt that data protection is a topic that is likely to get many going, at least not in a positive way. Many in business will see it as more red tape that ties up administrative time and resource without delivering any apparent business benefit.
However, data protection is something that really does deserve some attention because the existing data protection laws will be replaced by the GDPR and they come into force on 25th May 2018. You need to find out what they will mean for your business.
Some may be labouring under the misapprehension that the GDPR will not be an issue for their sector or business. Think again. The GDPR are wide ranging: they cover (among other things) the handling of employee data, customer data, and supplier data. So they apply to anyone, one way or another, with employees, customers and/or suppliers.
- failure to comply could result in maximum fines for certain data breaches of up to €20m or 4% of global turnover, whichever is larger (considerably up from the current £500,000 limit).
- there is a requirement to notify the Regulator and the individual involved of a data breach that impacts on that individual’s privacy within 72 hours of it occurring. Would your current data protection systems allow you to identify a data breach let alone quickly enough to notify it within 72 hours?
- individuals will have increased rights to access data held about them and they will have a new ‘right to be forgotten’.
- businesses that outsource the processing of personal data will have greater duties to ensure that their outsourcing contracts are appropriate.
- businesses will need to be transparent with regard to how personal data is used which will require a review of privacy policies.
Compliance will look different for every business because the data collected and how it is used will be different, so what should companies do next? A good start would be:
- consider what personal data is held and if databases will be compliant.
- assess how personal data is collected and consider what the individuals concerned are being told about how that data will be used; are you being sufficiently transparent?
- consider the legal basis for the way you use the personal data you have. Where any data is processed on the basis of consent, are the consents compliant with the GDPR?
- Review your data retention and data breach policies;
In the interests of balance, it should be pointed out that while complying with the new GDPR will undoubtedly require work all is not doom and gloom. There could also be opportunities. Compliance may make your business a more attractive prospect to clients because good data governance can build customer trust and getting the right permissions may also help businesses take advantage of the “Big Data Revolution” permitting them to commercialise their data.
Whatever you do, please do something. May 2018 will be here soon and being caught out could be vey expensive.
About the author: Sarah Phillips is an associate in the real estate team at Irwin Mitchell LLP.