Much has been said be about the European General Data Protection Regulation (GDPR) changes to the data protection act.
Uncertainty is rife among businesses about how this legislation will affect them in the short term, after it comes into force on 25 May 2018, and in the long term, after Britain leaves the EU.
In this article, we have tried to answer some FAQs about GDPR.
Why has the European Union decided to make changes to the data protection regulations?
The European General Data Protection Regulation was created to regulate the progression of personal data within the European Union. Dubbed by the BBC as “biggest shake-up of data protection laws for 20 years”, it is a modernisation of data protection laws drawn up in 1995, before mass internet adoption. The new regulations have been designed to reflect how major organisations are now using and sharing their customers’ and contacts’ data.
Officially known as the Directive 95/46/EC, GDPR will have the force of law across all 27 EU states, giving uniformity of data protection laws and significantly increasing penalties for non-compliance.
What will companies have to do to comply with the European General Data Protection Regulation?
Crimson recommend that your organisation works with experts to ensure that it thoroughly adheres to GDPR. Here are some of the factors that you will need to consider to become compliant.
Computer Weekly recommendations;
- Update your organisation’s privacy policies, procedures, and documentation. Data protection authorities will be able to ask for these at any time.
- Form a governance group to oversee all your data privacy activities. This should be led by a senior manager and or a data protection officer if you have more than 250 employees. The group should establish KPIs to measure the status of privacy efforts, report regularly, create statements of compliance, and produce an annual report.
- Enhance your incident management, detection, and response processes. The relevant data protection authority must be informed about any data breach, even if protective measures, such as encryption, are in place or the likelihood of harm is low.
- Prepare your organisation to fulfil the ‘right to be forgotten’, ‘right to erasure’ and the ‘right to data portability’. A strategy covering topics such as data classification, retention, destruction, storage, search, and data collection mechanisms will be required.
- Take a ‘privacy by design’ approach. Create and enforce privacy throughout your systems' lifecycles whether you buy or develop. This will ensure privacy controls are simpler to implement, harder to by-pass, and totally embedded within your systems’ core functionality.
- Consider which parts of your operations are established in the UK and may be affected by proposed changes.
- Identify personal data flows from the European Economic Area to the UK. At the time of leaving the EU, flows of personal data from the European Economic Area countries to the UK will become prohibited without new adequate safeguard measures being adopted.
- Identify your UK establishments which monitor the behaviour of, or offer goods and services to, citizens in the EU/EEA. Such UK establishments may be subject to GDPR despite Brexit due to the new territorial scope of GDPR which extends beyond the EU.
- Monitor the UK data protection authority’s statements on Brexit, GDPR and how to remain compliant – current ICO (Information Commissioner’s Office) guidance is to continue to prepare for GDPR.
- If your main EU establishment is currently in the UK, consider where your No. Two establishment in the EU is based, as that is likely to be where your lead EU data protection supervisory authority will be located under GDPR.
- Regularly check for relevant developments and keep your plans up to date.
How will Brexit effect this legislation?
Following the passing of the Brexit Bill in parliament, it is expected that Prime Minister Theresa May will enter withdrawal talks with the European Union in the last week of March 2017.
Once the UK gives notice to leave the EU, it would then leave on the sooner of withdrawal terms being agreed and the expiry of two years from giving notice, so by end March 2019.
There will be an intense period of preparation and negotiation between the UK and EU to agree the terms of withdrawal and for their future relationship. The terms agreed will affect the extent to which the UK continues to comply with and/or keep up with EU laws.
GDPR will come into force on 25 May 2018, when the UK is likely to still be in the EU. It will apply between May 2018 and any departure from the EU.
As a regulation, GDPR will automatically fall away when the UK leaves the EU. However, the UK can choose to adopt domestic legislation to retain GDPR in whole or part. Current UK government announcements support such retention.