The general data protection regulation: now is the time to act
The General Data Protection Regulation (the “GDPR”) is effective as of 25th May 2018 and with 2018 on the horizon, all businesses should now be starting to consider how the GDPR will affect them and what changes they may need to put in place.
The GDPR is set to replace the current Data Protection Act and businesses should ensure that they understand how they will be affected by the new data protection landscape which it will herald and that they have prepared themselves accordingly.
It is prudent for a business to understand the implications of the GDPR and how the new law will impact on it now, prior to its effective date, to ensure compliance from day one. Businesses will need to ensure that they have compliant procedures set up to mitigate and manage risks, as well as ensuring their compliance can be evidenced should this prove to be necessary.
Businesses should also be considering whether they need to appoint a Data Protection Officer (“DPO”). In some cases, it may not be a requirement to appoint a DPO, but the responsibilities of a DPO should nonetheless be delegated within a business.
The increased responsibilities placed on businesses as a result of data subjects’ increased rights to control how and by whom their data is stored and used should also be being considered. Under the GDPR, it is of great importance to ensure that specific consent is obtained from each data subject for whom a business does or intends to process and/or control data as, for example, acquiescence (such as by failing to un-tick a pre-ticked box in a privacy notice) will no longer indicate valid consent.
Charges regarding data subject access requests have also been revised. Previously it was permissible to charge a fee of £10 to action such a request. Now, individual requests will need to be reviewed and only where deemed excessive or repetitive can a reasonable fee be charged. In some cases, where requests are manifestly unfounded, a refusal can be made to carry out the request. It is important to understand the implications upon your business regarding data subject access requests and when these can be charged for or refused, especially as the publicity around the GDPR is likely to lead to an increase in the number of such requests being made to businesses generally.
Failing to comply with the GDPR from its effective date may lead to a business being liable to pay a fine in the sum of 20 million Euros or 4% of its global annual turnover, whichever is the greater. This is significantly more punitive that the previous maximum of £500,000 under the Data Protection Act.
Such fines can be imposed not only on businesses for failing to comply with the GDPR in respect of the personal data of clients and customers, but also for the personal data held on employees.
Seek guidance earlier rather than later
Against this background, prudent businesses would be well advised to seek guidance on the GDPR sooner rather than later with a view to preparing for and complying with the GDPR from May next year.
Here at Franklins Solicitors LLP, our Corporate Services team would be delighted to assist you by providing expert advice and ensuring that your business is ready for the new data protection regime under the GDPR.
Christopher Buck is a Solicitor and Associate Partner in the Corporate Services team of Franklins Solicitors LLP, which has offices in Milton Keynes and Northampton. Christopher seeks to provide cost effective solutions to businesses and can be contacted on 01908 660966, 01604 828282 or Christopher.Buck@franklins-sols.co.uk.