By Employment and Privacy Law Partner, Carl Atkinson
On 25th May 2018, the General Data Protection Regulation (GDPR) will come into force in the UK. Implementing the biggest change to data protection law in a generation.
Non-compliant businesses are at risk of facing enforcement action that could potentially damage their public reputation and bank balance. The potential upper-limit for fines for non-compliance has increased to 20m Euro or 4% of annual global business turnover. This has re-emphasised the importance of data protection at an executive level.
Despite high-level media attention there is still widespread uncertainty about GDPR among businesses. Many have yet to adopt a clear plan to ensure they meet the requirements of the new legislation. For these businesses, the best cause of action will be to utilise the coming months to prioritise steps to update their data protection policies and strategies – increasing their overall awareness of the new legislation and what it will entail to ensure they comply with the new requirements. First steps may include ensuring key business stakeholders understand the need for change and have ‘bought in’ to the plans for compliance.
All business stakeholders, whether compliant or not, must understand that GDPR is a fundamental development to existing data protection regimes. They should not assume that their present understanding or existing policies will be adequate to ensure compliance.
The starting point for most businesses will be to conduct a data audit. This is to understand what personal data they are holding in relation to EU residents, where it is held and what processing of that data they are undertaking. They should also consider whether they can justify the continued retention and processing of such data. One impact of GDPR will be to encourage change in the traditional commercial assumption that all personal data should be retained indefinitely.
Businesses may conclude that it be preferable to delete any personal data which they do not need for an on-going process. Many may find that they do not have the luxury of this discretion as the GDPR will allow individuals to terminate their consent to the processing of their data. Businesses with therefore require to delete their data from their systems. Businesses which do not understand what data they are holding and where it is stored prior to the launch will find it difficult complying with deletion requests.
One of the first considerations for businesses will be to review (and almost inevitably amend) their privacy notices and any other information which they use to explain to individuals how they will use their personal data. Given the nature of the changes which will be imposed by the GDPR, it is highly unlikely that existing privacy notices will be adequate for the new legislation.
Once these initial steps have been undertaken, businesses should be well placed to start implementing more significant compliance reviews. We will continue to set out a series of practical steps, which businesses can follow to maximise the chances of compliance with the new legislation. Over the next few months to prepare for the launch of the GDPR in May of this year.
If you have any further questions with regards to GDPR contact Carl Atkinson, Employment and Privacy Law Partner, who will provide more guidance where necessary.