You may already be aware that the General Data Protection Regulation (GDPR) is a new piece of legislation that will apply to all EU organisations and companies from 25th May 2018. The GDPR legislation is primarily intended to protect individuals from data breaches and provide them with access to their own data. The greatest impact will be for financial, insurance and medical organisations and examples of data would be credit card records, bank details and personal information. Whilst GDPR is clearly intended for consumer interactions this is an opportunity for you to ensure that your activities are still within the Data Protection Act (DPA) and to check if you hold any personal data about your business users such as credit card details.
We urge you to read this post and start to take your own steps towards preparing for the introduction of this new legislation.
Note that Brexit has no impact on this legislation as it comes into force whilst we are still in the EU and the UK Government have confirmed that the decision to leave the EU will not affect the commencement of GDPR.
In many ways GDPR is similar to the existing UK Data Protection Act 1998 (DPA) but there are new and different requirements which will mean that you will have to do things for the first time and some things differently. Most critically organisations in non-compliance will face heavy fines from 4% of turnover to £20m.
Because of this new legislation The BCFA are conducting a review of the data we hold and how we make contact with our industry and we urge you to inform yourselves of the relevant changes and conduct your own data audit so that you can demonstrate compliance.
The information that follows is taken from the Information Commissioner’s Office (ICO) website at www.ico.org.uk they are the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Many of the GDPR’s main concepts and principles are much the same as the Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under GDPR and can be a starting point to build from. If you are not clear about the requirements of the Data Protection Act (DPA) we urge you to follow this link for further information and guidance.
Here we have pulled out a two of key points from the overview of the GDPR that we feel will help you to focus on the key issues for our members, but for further detail please refer back to the original document on the ICO web site, you can also refer to the more detailed guidance on DPA and how this applies and affects small organisations. There is a comprehensive section on the ICO web site for small organisations: https://ico.org.uk/for-organisations/business/
1. What information does the GDPR apply to?
Like the DPA, the GDPR applies to personal data. However the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides a wide range of personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of DPA, it will also fall within the scope of GDPR.
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent.
Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process their data.
You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
The infographic below indicates a checklist of 12 steps you can take now to prepare for GDPR:
The ICO provide this checklist and other resources to work out the main differences between the current law (DPA) and the GDPR. The ICO is producing new guidance and other tools to assist you. These are all available via the ICO’s Overview of the General Data Protection Regulation.
For further reading on this topic please reference www.ico.org.uk