By Paul Clark, Jacksons Law Firm
This image probably sums up many businesses’ attitudes to data protection – feeling a bit like you are lost in the Matrix with the threat of something sinister lurking in the background…
…fortunately, the forthcoming reforms to UK data protection law resulting from the EU’s General Data Protection Regulation (GDPR) need not be as scary as they may seem.
For starters, the new Data Protection Act which will implement GDPR is expected to preserve many concepts of the existing Data Protection Act 1998, including key terminology along with the roles of “data subject” and “data controller”. “Personal data” is at the heart of GDPR and whilst the definition is far more expansive than previously, many data protection principles will be retained, only they will be more rigorously enforced under the new rules. If your business is already complying with the Data Protection Act 1998 then you are in good shape to remain compliant when the deadline for implementation of GDPR on 25 May 2018 comes around.
So what will change?
Businesses will be more accountable under GDPR and they will need to show that they are not only processing data correctly but also that they have systems in place to identify a data breach and notify the regulator of one occurring within 72 hours in the majority of cases. This will inevitably result in a need to raise awareness of data protection obligations throughout a business and require employers to provide regular training for all members of staff who process data.
But perhaps the most talked-about change will be to the rules around obtaining consent. Consent is not the only permissible condition for processing data – under GDPR it will be possible to lawfully process data for certain other reasons, such as if it is necessary for the performance of a contract or for compliance with a legal obligation. However, where the data subject’s consent is relied on to process personal data concerning them, for example where previously an individual has ticked (or failed to tick) a box on a form to be included in a mailing list, consent will need to be “freely given, specific, informed and unambiguous” according to Article 4, GDPR. This has the potential to be a big headache for sales and marketing teams.
What can be done? Well, at this stage it remains to be seen how businesses will adapt to changes to consent and the end of a file and forget culture. Certainly, blanket consent will be prohibited under GDPR and businesses will need to periodically renew any consent they may be relying on to process an individual’s personal data. Fresh consent will be necessary where there is a change to how or the reason why data is to be processed. The right to withdraw consent will need to be made clear and businesses will need to give a little respect to the right to be forgotten (the right to erasure). A privacy notice containing specified information on the purpose for which the data will be processed will be mandatory before or at the point of data collection.
At Jacksons Law Firm, we have been active advising clients on GDPR for some time and have developed the following practical steps for businesses to take when starting to address the issues:
1. Break down your business into areas
2. Appoint a person for each area
3. Identify the data each department collects and uses
4. In terms of data, think: Where? Why? How? Who? How long?
5. Consider is there a clear justification for holding such data?
6. Ask do you need to get rid of any unnecessary data?
7. Review how you are securing and protecting the necessary data
8. Ensure that it is clear in your internal and external data policies how you will collect, process and protect such data
If you have any questions about GDPR please do not hesitate to contact Louise White or Charlotte Alexander from Jacksons Law Firm’s Corporate and Commercial department by telephone on 01642 356507 or by e-mail via lwhite@jacksons-law.com and calexander@jacksons-law.com, or Paul Clark from Jacksons’ Employment department on 0191 206 9626 or via pclark@jacksons-law.com.
Jacksons Law Firm and the North East BIC will also be holding a GDPR Workshop on Wednesday 7 February 2018, click here to book your place.
Jacksons Law Firm is one of the North East’s longest established law firms and offers a full range of legal services including commercial property, employment, corporate, litigation and debt recovery, education, matrimonial, wills, trust and probate and residential conveyancing.