EU data law will af­fect busi­nesses

The Peterborough Evening Telegraph - - Business -

We may only just be into a new year, but busi­nesses need to be aware of a huge piece of EU leg­is­la­tion that comes into force in May 2018 - re­plac­ing the UK’s 1998 Data Pro­tec­tion Act.

The Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR) has been a long time com­ing with var­i­ous drafts hav­ing been pub­lished over re­cent years, and marks a tough new era in EU-wide data pro­tec­tion in­clud­ing greater re­spon­si­bil­i­ties for data pro­ces­sors and se­vere penal­ties of up to four per cent of world­wide turnover for non-com­pli­ance.

It im­poses much stricter op­er­at­ing bound­aries for busi­nesses that process per­son­ally iden­ti­fi­able in­for­ma­tion about EU cit­i­zens, not just to busi­nesses based within the EU.

It means any UK busi­ness trad­ing with EU cit­i­zens, even post-Brexit - re­gard­less of whether or not Bri­tain ex­its the EU be­fore May - will be af­fected, as will any­one who transfers per­sonal data from the EU to the UK for pro­cess­ing or stor­age.

The main pro­vi­sions of the GDPR in­clude: Con­sent– cur­rently, much data is col­lected on the ba­sis that in­di­vid­u­als will choose if they wish to opt out. In fu­ture, an in­di­vid­ual will have to make a pos­i­tive ac­tion that demon­strates their con­sent in or­der for their data to be col­lected.

Trans­parency – more in­for­ma­tion will have to be pro­vided by the pro­ces­sor from the out­set about how data will be used and how long it will be kept for, as or­gan­i­sa­tions must not hold on to data for any longer than ab­so­lutely nec­es­sary.

Ac­count­abil­ity – there is a shift from risk man­age­ment to com­pli­ance so in fu­ture, or­gan­i­sa­tions will have to be able to show that they are ac­tively com­ply­ing with the GDPR, not just iden­ti­fy­ing risks or re­spond­ing to breaches as they oc­cur.

Spe­cial­ists – A spe­cial­ist Data Pro­tec­tion Of­fi­cer will bean oblig­a­tory ap­point­ment for most pub­lic bod­ies and­for any or­gan­i­sa­tion con­trol­ling or pro­cess­ing data where core ac­tiv­i­ties in­volve “reg­u­lar and sys­tem­atic mon­i­tor­ing” of data sub­jects “on a large scale”. For an or­gan­i­sa­tion that sub con­tracts its pro­cess­ing there is a high duty of care im­posed in se­lect­ing their data pro­cess­ing provider, with pro­cure­ment pro­cesses to be fol­lowed and reg­u­lar on­go­ing re­views.

Breaches – cur­rently some may be man­aged in­ter­nally with­out re­port­ing, but in fu­ture there will be a statu­tory obli­ga­tion to no­tify the reg­u­la­tor – the ICO in the UK - and the in­di­vid­u­als af­fected if there is any risk to an in­di­vid­ual’s per­son­ally iden­ti­fi­able in­for­ma­tion as a re­sult of any breach. Fines will be im­posed for breaches, up to a max­i­mum of €20m or 4% of to­tal world­wide turnover for se­ri­ous con­tra­ven­tions.

Chil­dren – No one un­der 13 can give their con­sent to the pro­cess­ing of per­sonal data in re­la­tion to on­line ser­vices, and so parental con­sent must be ob­tained. Mem­ber States are free to set their own rules for those aged 13-15, if they do not, then parental con­sent will be re­quired for chil­dren un­der 16.

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.