04-04-18

Never Mind the Bollocks – Here’s the GDPR By now surely everyone in the UK has heard or seen something about the General Data Protection Regulations (the “GDPR”) coming into force on 25th May – though it seems that an understanding of what is actually needed for compliance may be in short supply. In brief: the new GDPR is very much like the old DPA but with some specific enhanced requirements and, crucially, with dramatically-increased penalties for non-compliance.
 
As with the old regime, the central feature of the GDPR is “consent”. Organisations that store and/or use data that can identify an individual within the EU (aka “Personal Data”) must ensure that each of those “Data Subjects” consents to the processing of his/her Personal Data. In some cases, that consent can be implied merely because the data is being used only for the performance of a contract (e.g. a drycleaner would not require any explicit consent for taking a phone number to let the customer know when the suit is ready for collection) or because the data is being used for purposes of “legitimate interests”. In cases where no consent or legitimate interest can be implied, however, the organisation will need to obtain an unambiguous and freely-given “opt in” to a Privacy Policy – which must be easily-accessible, clear and concise (without any vague fluff like “we really value and respect your privacy”).
 
Additionally, the GDPR strengthens the requirements to honour “Subject Access Requests” (the right for individuals to see what data is being held about them), to appoint a DPO or DPR (Data Protection Officer or Representative), to maintain certain basic provisions in contracts with third-party data processors, and to ensure that any transfer of Personal Data out of the EU is subject to minimum enforceable standards.
 
Any breach of the GDPR now brings the spectre of having to immediately notify the authorities and the affected Data Subjects – and the range of potential fines now reaches to the greater of €20m or 4% of global turnover.
 
Every company that stores and/or processes Personal Data needs to take at least some basic steps toward compliance by (or as soon as possible after) 25 May 2018:
·          (if required) appoint a DPO (or DPR) to coordinate the company’s compliance procedures;
·          undertake a data audit of all electronic and physical data at all levels to confirm source, age, and usage (current and future);
·          consider deleting all data which is outdated or inaccurate or irrelevant, or where adequate consent was not obtained or cannot be evidenced;
·          ensure the level of data security is appropriate/proportionate;
·          create and update procedures for dealing with ongoing compliance, Subject Access Requests, Requests to be Forgotten, and any data breaches which may occur in future;
·          demonstrate an internal culture of “privacy by design and default”, and a customer-centric “state of mind”, by keeping written evidence of progress toward full legal compliance.
 
Europe has radically upped the stakes for every company (including those without any physical presence in the EU) that holds or uses Personal Data of individuals in the EU – and every such organisation now needs to raise its game to meet this new Data Protection challenge.
 
For assistance with a data audit and/or GDPR compliance in general, contact Clintons’ Data Protection team on 0207 379 6080 or via GDPR@Clintons.co.uk.
Article by Tom Frederikse