Even with Brexit on the horizon, business leaders would be wrong to ignore the new EU data protection framework, known as the General Data Protection Regulation (GDPR). After four years of painstaking negotiations, the GDPR will come into effect on 25 May 2018.
That might sound too far away to worry about, but it will replace the current Directive without needing a vote in national parliaments. It is also something that may, or may not, get renegotiated in the event of Brexit moving forward in 2017.
GDPR legislation contains obligations that private businesses and public organisations should now be preparing for, to ensure they are ready for 2018.
KPMG has already warned that GDPR “changes are going to be complex and take time. As such, most organisations cannot afford to wait and see what form Brexit takes. Doing so would leave them with insufficient time to prepare.”
Although clarity on Brexit negotiations is changeable, the clearest sign that GDPR will apply in the UK came from Information Commissioner Elizabeth Denham, who confirmed that it would go ahead, despite the referendum. Karen Bradley, secretary of state for culture, media and sport agreed, replying to a question in a select committee with this statement: “We will be members of the EU in 2018, and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
Clearly, staying compliant with EU-wide data legislation is the smart move.
Steps To Take Now To Prepare For GDPR
#1: Review current data collection activities
Let’s consider a real-world application of data collection. For example, your website uses software to track web visitors. This software is from Canada. At present, this company would not be subject to EU data protection legislation. It would under GDPR.
Geographic reach has been extended, so that any data controller or processor outside the EU that offers goods or services (even if they are free) that impacts EU citizens, will need to appoint a representative in the EU. Make sure you know where all of your IT and software suppliers are located and ask how they are reacting to GDPR.
#2: Appoint a Data Protection Officer (DPO)
In some circumstances, public organisations, including councils will need to appoint a dedicated Data Protection Officer (DPO). New legislation makes that necessary if the following applies:
(i) processing is carried out by a public authority,
(ii) the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale, or
(iii) the core activities consist of processing on a large scale of special categories of data.
#3: Demonstrate compliance
The EU is taking compliance more seriously. Data controllers will need to keep more documentation, conduct impact assessments for risky processing and implement data protection by default (e.g. data minimisation).
#4: Data processors need to get ready
Until now, data processors have not been directly compliant with legislation. That changes with GDPR. More accurate records need to be kept, including stringent agreements when it comes to cross-border data collection and processing. Suppliers and vendors will need to address these changes in contracts with clients.
#5: Consent and fair processing notices
Data subjects need to give explicit consent for their data to be used. Not only that, but controllers need, at all times, to grant transparent access to subjects. Those who give consent must understand they can withdraw at any time and know why their data is being collected and processed. Fair processing notices will need to be changed to stay compliant with this legislation.
There are numerous other changes in the pipeline. Now is the time to ensure that everyone who interacts with customer data is prepared, including vendors and IT suppliers. Staff training and policy changes should start early in 2017, to ensure your organisation is compliant since failure to prepare could incur fines of up to €20 million, or 4% of annual turnover.
Time is of the essence for organisations wanting to get ready for GDPR.
For more advice on ensuring your organisation is prepared, please do not hesitate to contact me. Call 0845 643 6060 or email email@example.com
5 IT Strategies for Business Success
Information Technology (IT) has revolutionised the lives of individuals and organisations. Innovation in this sphere has created business opportunities that did not exist five, ten or twenty years ago, both in the way companies operate as well as the services and products they sell.