GDPR – 5 Things You Need to Know

The General Data Protection Regulations (GDPR) are coming into force and will be directly applicable in all EU member states on 25 May 2018. If your business is not fully compliant by this date it faces exposure to substantial new fines and penalties.

Although the regulations reflect many of the same key data protection principles there are some important changes coming into effect which businesses need to be aware of.

We consider five of these below:

1. Data Protection Officer

Under the GDPR data controllers and processors must appoint a Data Protection Officer (DPO) where processing is carried by a public authority or where its core activities consist of i) the regular and systematic monitoring of data subjects on a large scale; or ii) large-scale processing of sensitive personal data.

Amongst other attributes the GDPR requires that DPOs have expert knowledge of data protection law/ practices and stipulates that they perform their tasks in an independent manner free from conflicts of interest.

2. Consent

The GDPR introduces a higher standard for obtaining consent than the Data Protection Act 1998. Organisations must be able to demonstrate that their data subjects gave free and “unambiguous” consent to the processing of their personal data. Requests for consent should be separate from other terms and consent to processing of personal data must be as easy to withdraw as to give.

Whilst existing consents may still meet GDPR requirements data controllers cannot rely on consent as a legal basis for processing if there is a “clear imbalance” between the parties (for example, the employer and employee relationship) as consent is presumed not to be freely given

3. Data processors will have direct legal obligations and responsibilities

One of the key changes of GDPR is the introduction of direct compliance obligations for data processors. These include an obligation to maintain a written record of processing activities carried out on behalf of each controller, appointing a Data Protection Officer where appropriate and notifying the controller on becoming aware of a personal data breach without undue delay.

Whereas under the Data Protection Directive processors generally are not subject to fines or other penalties, under the GDPR processors may be liable to pay fines on the same basis as controllers.

4. Accountability and Privacy by design

The GDPR places significant accountability obligations on data controllers to ensure they can demonstrate compliance. This new accountability principle requires data controllers put in place and implement policies and procedures, to maintain certain documentation, implement data protection by design and default (e.g. data minimisation), carry out privacy impact assessments and appoint a data protection officer in certain circumstances.

5. Fines

The UK’s current maximum fine for data breaches under the Data Protection Act 1998 is £500,000. The GDPR will significantly increase the maximum fines and will be able to impose fines on data controllers and data processors on a two-tier basis, as follows:

- Up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is the greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers, and data protection by design and default.
- Up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects rights and international data transfers.

As the 25th May is fast approaching its essential that businesses review their processing activities to understand how the GDPR will impact on them. Steps organisations can take to prepare include;

1. Providing Training to staff
2. Audit processing activities and grounds for processing
3. Review the consents you obtain to establish if they are fit for purpose
4. Updating contracts, policies and procedures to ensure compliance
5. Updating Subject Access Request procedures
6. Updating Privacy Notices
7. Establishing accountability processes and procedures
8. Appointing a DPO (if necessary or if desired)
9. Establish a breach notification procedure
10. Embrace privacy by design

If you need assistance or guidance on any of the above please contact Millar McCall Wylie on 02890 200050 and ask to speak with Abbie Long or Kevin Gallagher.