Following years of negotiations, the General Data Protection Regulation (GDPR) is finally close to formal approval. If adopted this year, as expected, it is likely to come into force in the UK in 2018. The GDPR will replace the UK’s Data Protection Act 1998 (DPA) and will bring with it heightened obligations on UK businesses (including on data processors). Businesses that fail to comply with certain obligations under the GDPR will risk fines of up to the greater of €20m or 4% of annual worldwide turnover.
Rather than the current regime of notification by data controllers, businesses will need to implement more focused auditing and risk assessment procedures and ensure appropriate policies are in place. Data controllers may find that they need to adjust their data protection policies and procedures in order to meet the enhanced requirements of the GDPR. Data processors who are not currently subject to the DPA will be required to implement certain policies and procedures, and comply with privacy legislation directly, for the first time.
In light of the expected implementation of the GDPR, the ICO recently published guidance outlining twelve practical steps businesses can take now to prepare for it, including, in summary:
- making decision-makers in the business aware that the law is changing to the GDPR
- documenting personal data the business holds, where it came from and with whom it is shared
- identifying and documenting the types of processing carried out, the legal basis for processing and how consent is obtained and recorded and, where applicable, considering how parental and guardian consent for children will be gathered
- reviewing existing privacy notices and planning for any necessary changes
- ensuring internal procedures allow for the detection, reporting and investigation of data breaches and handling of subject access requests in the requisite timescales
- ensuring systems allow for the deletion of personal data or the provision of data electronically
- familiarising oneself with the new rules and guidance regarding Privacy Impact Assessments
- if required by the GDPR, designating a Data Protection Officer to take responsibility for data protection compliance, and
- for international businesses, determining which data protection supervisory authority they come under.
The ICO is expected to publish more guidance notes and codes of practice in anticipation of the GDPR’s launch and businesses that wish to stay ahead can monitor the ICO websites https://ico.org.uk/ and http://dpreform.org.uk for updates.
If you would like further information on the GDPR, please contact Beverley Flynn on +44 (0) 1483 734264, Gary Parnell on +44 (0)1483 734269, Ayesha O’Connor on +44 (0)1483 401236 or your usual contact at Stevens & Bolton LLP.