The GDPR will apply in the UK from 25th May 2018 and is similar in many ways to the existing UK Data Protection Act 1998 (DPA). The GDPR applies to personal data processing by organisations operating in the EU and organisations that offer goods and services to individuals in the EU and aims to harmonise data privacy laws across Europe. The Government has confirmed that the UK’s decision to leave the EU will have no effect on the commencement of the GDPR.
Personal Data & Compliance
Personal data is anything that can be used to identify a person or ‘Data Subject’. For example, a name, photo, email address, bank details, posts on social media, medical information or even an IP address.
The GDPR applies to ‘controllers’ and ‘processors’. The controllers are the ones who say how and why personal data is processed, and the processors act on behalf of the controller. The GDPR will apply to all data processing in the EU, regardless of where the processing takes place, and it is likely that if you are already subject to the DPA, due to their similarities, you will also be subject to the GDPR.
There are penalties for non-compliance with the GDPR and non-compliance will result in a fine. For example, a fine of 2% will be issued for not having records in order. For the most serious offences, organisations can be fined up to 4% of their annual turnover, or €20 million depending which is larger. An example of this would be not having sufficient customer consent to process personal data.
What consent do data processors need?
Consent must be given before any data can be processed. This is to protect the individual, and to not confuse or trick them into providing data which they don’t wish to share. Companies will no longer be able to use illegible terms and conditions full of legalese and other language that is difficult to understand. The request for consent must be given in an intelligible and easily accessible form. It must also be made clear what the intended purpose for data processing is, and this is ‘unambiguous’ consent. It must be as easy to withdraw consent as it is to give it. ‘Explicit’ consent in only required when processing sensitive personal data.
Data subjects must have access to the data that is being stored. Controllers must provide a copy of the personal data in an electronic format, free of charge. Similarly, data subjects can request that the data controller erases their data, cease further dissemination of the data and potentially stop 3rd parties from processing the data. This can be done if the data is no longer relevant to its original purpose, or if a data subject withdraws consent.
What about data breaches?
In the event of a breach of data, the DPA must be notified within 72 hours and any affected individuals without undue delay. You must notify them of the nature of the breach, the name and contact details of the data protection officer or other contact point where more information can be obtained, a description of the likely consequences and a description of the measures taken, or planned to be taken to deal with the breach.
How will this affect me?
The GDPR is aimed at any company handling personal or sensitive data belonging to citizens living in the EU. As a member of the Society of Will Writers, you should already be complying with the Data Protection Act to ensure that any client information you are holding is protected in accordance with the data protection principles as well as the terms set out in the SWW Code of Practice.
SWW Code of Practice 2.8
A Member shall not disclose information relating to the Member’s client’s affairs to any third party without the consent of that client unless legally required to do so and shall comply with all legislation from time to time in force relating to data protection and money laundering.
We would just like you to be aware of the consequences of not holding your clients data securely and any breaches of these new regulations.
There GDPR is significantly more elaborate than we can cover in a short article. For a more detailed and thorough summary, please visit either https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ or http://www.eugdpr.org/eugdpr.org.html