On 25 May 2018 the General Data Protection Regulation (GDPR) shall come into force in the UK.
The scale of the changes, when compared to what the current Data Protection Act (DPA) provides for, is huge especially for UK businesses only having a little over a year to prepare.
Some of the key changes to expect are:
- Accountability and Data Processors – data processors will have direct compliance obligations and shall be subject to penalties for the first time under the GDPR.
- Validly obtaining Consent – this will be harder to obtain due to the very high standard of consent required by the GDPR. Businesses will need to be able to demonstrate consent was validly obtained.
- Privacy Impact Assessments – businesses will need to perform data protection impact assessments (PIAs) before carrying out any processing that uses new technologies.
- Increased Enforcement Powers – fines under the GDPR will significantly increase and shall be based on a 2 tier regime.
Steps to prepare:
- Audit – businesses should undertake internal audits to establish the type of data being processed, the purpose(s) for processing that data, where the data is coming from, how it is stored and who has access to the data. This will all assist in complying with the risk based approach of the GDPR.
- Review – businesses should review their existing policies, procedures and privacy notices regarding data protection in conjunction with the new GDPR obligations. Commercial agreements including those with suppliers and insurers should be reviewed to ensure the new obligations and potential risks are covered.
- Record – businesses should maintain detailed documentation in order to show paper trails relating to data processing activity and privacy impact assessments carried out.
To find out more please join the Corporate and Commercial Team on Thursday 25th May for a free breakfast seminar on the General Data Protection Regulation. More information can be found here: http://bit.ly/2qtWhNQ.