02 November, 2017
The General Data Protection Regulation (GDPR) will come into force in the UK from 25 May 2018 and will apply to all 'controllers' and 'processors' of 'personal data'. Organisations hold vast amounts of personal data relating to employees, customers and suppliers. It is advisable to become familiar with the new provisions introduced by the GDPR and engage with this process early because the old risks continue to apply with bigger consequences. For example data security breaches or disclosure by mistake continue to be a violation of the law, although the maximum fine that can be imposed increases from £500,000 to up to €20 million.
We regularly advise a range of businesses on data protection law including compliance with the current Data Protection Act 1998 and preparing for the GDPR. As part of our work with our clients and our own preparations for GDPR, we have produced answers to a number of questions which we are frequently asked:
A Data Protection Officer ('DPO') is a new statutory job role which has been created by the GDPR. DPOs are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. Not all organisations are required to have one. However, if you are a public authority or are likely to be carrying out regular and systematic monitoring of individuals on a large scale or processing sensitive data on a large scale you will be legally obliged to appoint a DPO. Even if organisations are not legally required to appoint a DPO, any organisation may do so if they wish. Regardless of whether or not the GDPR obliges you to appoint a DPO, organisations must ensure that they have sufficient staff and skills to discharge their obligations under the GDPR.
The GDPR requires organisations to keep records of the data processing activity it is undertaking. If organisations have less than 250 employees, they will be exempt from this requirement unless their processing activities are risky, frequent or include sensitive data. However as employers, information that organisations obtain from its employees often contains sensitive data and therefore it will be rare that an organisation can rely on this exemption. Therefore, most organisations will be required to keep a record of processing activity.
It will be mandatory to report a personal data breach under the GDPR if it's likely to result in a risk to individual's rights and freedoms. Further guidance is due to be published by the ICO of circumstances when breaches must be reported in the New Year. However, if the data breach poses a risk to an individual (e.g. risk of discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage) then the data breach should be reported to the ICO within 72 hours.
The GDPR introduces a higher standard of consent which must be obtained from individuals. Consent can no longer be inferred or implied. The GDPR does not require organisations to automatically refresh all its consents. However, the GDPR does make it clear that if organisations want to rely on consent obtained pre-GDPR (under the Data Protection Act 1998), the consents must meet the GDPR standard (e.g. affirmative, opted-in, informed, freely given consent). If the consent does not meet the GDPR higher standard or the consents are poorly documented organisations will need to seek fresh GDPR compliant consent in order to comply with the GDPR.
The rules on consent and marketing do not apply to 'corporate subscribers' (e.g. companies, LLPs, and government bodies). The GDPR only applies to living individuals and therefore a company does not fall within this definition. However, the definition of 'corporate subscribers' does not include sole traders. Sole traders will have the same protection as individuals under the GDPR. In addition, it should be noted that individuals working for a company are protected under the GDPR. Therefore, if marketing correspondence is being sent to a personal corporate email address (e.g. email@example.com) rather than a generic company email address (e.g. firstname.lastname@example.org), that individual will have data protection rights under the GDPR and have the right to stop any marketing being sent to that type of email address.
The GDPR does not set a specific time limit for consent. It will degrade over time and it certainly does not last forever. Organisations will need to keep consents under review and consider refreshing consents at user-friendly intervals.
If you are looking for more information with regards to our services view our our Commercial section. You can also contact Bethany Paliga in our Commercial department on 01254 222 347 or by email. Alternatively send any question through to Forbes Solicitors via our online Contact Form.