What is it?
The General Data Protection Regulations 2018 (“GDPR”) is EU legislation set to apply in the UK from 25th May 2018. It replaces the current Data Protection Act (“DPA”) and is designed to unify the regulation of personal data across Europe.
The government has confirmed that Brexit will have no impact on its introduction to the UK, and the UK will maintain it for the foreseeable future, to help ensure easy trading with the rest of the EU after we leave.
Who must comply with the GDPR?
GDPR applies to any party that ‘controls’ or ‘processes’ the personal data of any individual EU resident, irrespective whether or not that party is based within the EU. Certainly, any business that must currently comply with the DPA will need to ensure it complies with the GDPR. If you run your own limited company, you are running a business and must consider if any part of these new rules requires action on your part.
In some respects, the GDPR is very similar to the DPA in that it is designed to protect and regulate the use of an individual’s personal data; however, what may be defined as personal data is much broader under the GDPR, extending to IP address and other such online identifiers.
Furthermore, the individual has more rights under GDPR and it’s far more costly for the organisation if these rights are breached.
These rights include:
- The right to be informed how their data is to be used, and why;
- The right to access their personal data and other supplementary information;
- The right to rectification of any personal data that may be inaccurate or incomplete;
- The right to be forgotten, essentially requiring the business to remove that individuals data if requested;
- The right to restrict the processing of their data;
- The right to data portability;
- The right to object to the processing of data based on legitimate interests;
- The right not to be subject to automated decisions (i.e. where there is no human influence)
This list is not exhaustive and like the DPA, an individual can make a subject access request (SAR), however, unlike the DPA, the business may no longer charge for the provision of a SAR (previously a maximum of £10) and must provide the SAR within a month (previously 40 days).
The cost of non compliance is vastly different to the DPA, with maximum penalties (in severe cases) reaching €20 million or 4% or annual global turnover – whichever is higher.
Legitimate reasons for processing data
There are a number of reasons an organisation may rely on to support the processing of data:
- Consent of the data subject;
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract;
- Processing is necessary for compliance with a legal obligation;
- Processing is necessary to protect the interests of a data subject or another person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action, such as a positive opt-in.
Importantly, consent cannot be inferred from silence, pre-ticked boxes or inactivity.
Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent.
Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process their data.
Remember that you can rely on other lawful reasons apart from consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests.
You are not required to automatically renew all existing DPA consents in preparation for the GDPR. But, if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.
What can you do now?
Review your business and assess where you are with your data now.
- What personal information do you hold?
- Is it stored securely, both when in rest and in transit?
- Who has access to it?
- Why do you need it, and is it all required?
- Do you have consent (see above) to use it or can you rely on another legitimate reason?
- Do you have documented policies and processes in place?
- How long can you / should you legally keep it?
- Is it backed up?
- Are there risks of data loss?
- Do you share it with 3rd parties and what steps have they taken to ensure their own compliance?
It is each business’s (organisation’s) responsibility to ensure they comply with GDPR. For more information, please review this guide from the Information Commissioner’s Office, who will police the new rules.
Typical impacts we have seen on cases we have looked at have included:
- Long held client data relating to completed project work now needing to be deleted from all systems – where previously there was no significant motivation to do so
- A policy being required in relation to holding client data. For example, an accountant would normally hold data for years as HMRC may request it in the usual course of business – an IT project delivery company may not need data to be retained as soon as a project is finished (but check the terms and conditions in your contract)
- Changes to contractual terms and conditions – where these referred to the Data Protection Act, they will now refer to GDPR, and usually include much more detail
- A large volume of requests for businesses and individuals to ‘renew’ their consent to be contacted by those businesses – as the previous quality of consent obtained is insufficient for the new rules.
The GDPR rules are a legal matter, not an accounting one, however, if you have any further questions, please let us know and we will try to assist.