The GDPR is Nearly Here

Business Insights
11/04/2018

The GDPR is nearly here, due to come into force on 25th May, yet many businesses are not ready, and many others haven’t even started to prepare.


The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.


Many of the reasons companies haven’t got to grips with preparing for the new legislation is an assumption that it doesn’t apply to them. They see themselves as being too small, not doing business with the EU, able to rely on existing data protection legislation, or perhaps just assume that as we are leaving the EU the rules won’t apply.


None of these assumptions are true, the regulations will apply to every business no matter how large or small, and whether they trade with Europe or not. So if you haven’t got your ducks in row you need to make a start.


The idea that smaller businesses don’t need to comply may have arisen because, the GDPR does include an exemption in relation to record keeping for smaller businesses (those with under 250 employees) but it does not exempt them from compliance with all the other aspects of the regulation.


Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying with the current law then most of your approach to compliance will remain valid under the GDPR and can be a starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.


The first step all businesses should be undertaking is to first understand what data it needs to protect and how it flows through their business.


On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements. If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy. This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion?


The GDPR includes the following rights for individuals:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object;
  • the right not to be subject to automated decision-making including profiling.


It is not uncommon for a business’s systems and software used for handling data to have been installed, as and when required, over time in a rather haphazard fashion. This can make it difficult to establish who can access the data, how they do it and why.


However, one of the central purposes of the GDPR is to ensure that only people who absolutely need to access and process an individual’s personal data can do so.


For example you may have a record of someone’s name, address and contact details through doing business with them at various times, but are they a supplier, a customer or even a rival business? But not everyone in your business needs access to those details, so GDPR will put an obligation on you to regulate access to that information, which may mean that it needs to be encrypted.


You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements, it is not always necessary to appoint a Data Protection Officer (DPO) as such, but someone in authority must take responsibility for compliance.


You must designate a DPO if you are a public authority (except for courts acting in their judicial capacity), an organisation that carries out the regular and systematic monitoring of individuals on a large scale, or an organisation that carries out the large scale processing of special categories of data, such as health records, or information about children.


There is plenty of help and advice particularly from the Information Commissioner’s Office (ICO) and specialist advisors, some of whom offer on-line platforms, the key thing is to make a start, if you haven’t already…..…..now!