Are you ready for the world that’s coming?
Data protection legislation changes could cost non-compliers their business, warns Alan Strain
GDPR or, as it is more formally known, the General Data Protection Regulation comes into force in UK law on 25 May 2018. The new rules will apply to any person or entity that processes any form of personally identifiable information on EU citizens.
It will serve as the new data protection regime across all EU nations, replacing the Data Protection Act (DPA). The new measures are aimed at strengthening and unifying data protection for people across the EU and will also address the export of personal data to countries outside the area. Some existing DPA rights have been altered while some entirely new ones have been introduced, such as a right to data portability; an extended right to be forgotten; and an enhanced subject access right.
When it goes live, data controllers and data processors will be required to provide proof that they are fully compliant with the new legislation. Failure to do so could end up being a costly affair, with non-compliance penalties ranging from an upper limit of €20 million or four per cent of annual global turnover – whichever is higher. This represents a significant escalation of the maximum £500,000 fine for a serious breach of the DPA.
Given the far-reaching implications of this legislation, it is essential for businesses to take early steps to be compliant with the GDPR regime. Those which find themselves in breach of the new rules will face a real threat of insolvency, or even closure, as a result of the significantly enhanced penalties.
Within the workplace, GDPR willgiveemployeesgreaterpowers over access to any of their personal data being held by the employer. They will have the right to request details be rectified, restricted or even erased. Employers will not only have to manage these new rights, they will also have to respond to any requests within a tighter maximum timescale of one month.
While GDPR does offer more transparency to employees and protection for consumers, it also creates real challenges for businesses and organisations. It has the potential to drive costs upwards and increase the need for additional resources to ensure compliance and manage requests for information.
These significant and potentially punitive rules changes are, however, on the way, with just under six months before they come into effect. Most employers are aware that they need to take action but the question for many is: how they do this.
A simple starting point is for businesses and organisations to undertake an assessment of their position, analysing and considering what current data protection practices they have in place. A review of these policies and procedures will then be required to ensure an employer has, or will have, appropriate records of training and guidance put in place prior to the GDPR implementation date in May 2018. A sensible measure for larger employers is to put together a compliance team whose objective is focused on ensuring that the business or organisation is in a position to meet the new standards.
Employee access to data should also be a key consideration in preparing for compliance. This includes looking at smarter methods of accessing data by staff in order to reduce management time and costs in dealing with requests. Smarter use of technology could assist this process, ensuring that commercial and confidential aspects are protected in determining what form and to what extent access to data will be permitted.
As the new regime affects firms of all sizes, SMES must also ensure they have their houses in order. Small business owners would be well advised to either designate an individual with specific responsibility for GDPR compliance or take on the task themselves with the support of external advisers if needed.
Companies and organisations of all sizes must also bear in mind that putting policies and procedures in place is only part of the equation. These need to be promoted internally and monitored as part of an ongoing compliance process.
GDPR is coming sooner than many might like. Employers need to act by considering what personal data they are processing from cradle to grave and implementing smart policies and procedures to ensure they remain on the right side of the new regime. Alan Strain is a Partner, Davidson Chalmers