Time to pre­pare for new data reg­u­la­tions

Belfast Telegraph - Business Telegraph - - Platform - By paul east wood, So­lic­i­tor, Tughans

The count­down for the UK’S im­ple­men­ta­tion of the Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR) is fast ap­proach­ing, with 10 months to go un­til May 25, 2018, the date by which af­fected com­pa­nies are re­quired to en­sure com­pli­ance or face penal­ties.

The GDPR is the widest-rang­ing amend­ment to data pro­tec­tion law in the UK in 20 years, but if your com­pany doesn’t process any data that can iden­tify a liv­ing per­son, or is pre­pared to face fines of up to €20m (or, if greater, 4% of the pre­vi­ous year’s global turnover), you may be more re­laxed about tak­ing steps to pre­pare for the GDPR.

In light of the UK’S im­pend­ing Brexit, it is worth not­ing that this is likely to be one area of law that will re­main un­af­fected by the coun­try’s de­par­ture, as any en­tity that trades in the Euro­pean Union will be re­quired to com­ply with GDPR.

Think­ing back to the ref­er­en­dum some 11 months ago, the May 2018 dead­line won’t take long to ar­rive, so the time to start prepar­ing is now or very soon.

Those com­pa­nies con­fi­dent of their com­pli­ance with the re­quire­ments of the Data Pro- tec­tion Act 1998 are in a good po­si­tion but are not free from hav­ing to take fur­ther action.

The main changes the GDPR will in­tro­duce are as fol­lows.

Max­i­mum fines are be­ing in­creased so that, de­pend­ing on the na­ture of the breach, com­pa­nies could be fined up to €20m (or, if greater, 4% of the pre­vi­ous year’s global turnover) or up to €10m (or, if greater, 2% of the pre­vi­ous year’s global turnover).

This is in­creas­ing from the cur­rent fine cap of £0.5m.

Con­sent to pro­cess­ing must now be given ex­plic­itly and af­fir­ma­tively.

This will likely re­move the abil­ity to rely on si­lence or in­ac­tiv­ity (such as fail­ing to tick a box) to prove con­sent to the pro­cess­ing of data.

Con­sent may also be with­drawn at any time, and must not be used as a pre-con­di­tion for a con­tract for which data pro­cess­ing isn’t nec­es­sary.

Data Pro­ces­sors (be­ing those who are pro­cess­ing data on be­half of an­other en­tity) will now be sub­ject to com­pli­ance re­quire­ments too.

Sub­ject ac­cess re­quests must be com­plied within one month, in­stead of within 40 days.

This change of law is likely to af­fect the over­whelm­ing ma­jor­ity of com­pa­nies in the UK and en­tails far more changes than are set out here.

How­ever, when it is im­ple­mented, its bound­aries will no doubt be tested be­fore the courts.

If the prospect of be­ing a test case (with €20m rid­ing on it) doesn’t sound at­trac­tive, there is still suf­fi­cient time to start ask­ing what data you hold, why you have it, what bud­get needs to be al­lo­cated to im­ple­ment all the changes re­quired, and what do the data pro­tec­tion (and liability cap) clauses in your cur­rent con­tracts say?

May 2018 may seem far off, but there is no time like the present.

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.