GDPR – changes on the horizon for data protection legislation
Irrespective of the UK’s EU referendum decision, new regulations agreed by the Union will still become UK law for the time being. Businesses should remain alert to EU-wide legislation of significance to their operations, such as the General Data Protection Regulation (GDPR) which will apply from next year.
Replacing the Data Protection Act 1998, the GDPR requires every organisation that processes personal data to be compliant with the new rules from 25 May 2018. The changes from the old law are significant. Most notably, the potential fines for non-compliance are substantially increased, from the current maximum fine of £500,000 up to the greater of either four per cent of worldwide annual turnover, or €20m. That’s enough to make everyone sit up and take notice.
Why are the changes being made?
The changes in our use of the internet and social media in the last 20 years have been phenomenal. As a result, businesses have exponentially more access to all of our personal data, largely for their marketing activities. Given this, the current law is way behind current technology. So the purpose of the GDPR is to redress the balance in favour of the individual, by enshrining the protection of personal data as a fundamental human right.
How to prepare for GDPR
1. Make sure the right people in your organisation know it’s coming
Senior staff should gain an understanding of GDPR’s scope and requirements. The ICO (the Information Commissioner’s Office, the UK regulator) provides a lot of helpful information on its website. Your organisation should then be prepared to invest in the appropriate resources necessary to enable compliance, supported by the organisation's highest level of management.
2. Identify your data
You must be able to identify the personal data (by which is meant information, but note that ‘data’ is plural) you hold about your employees, customers and suppliers, and how they are used, including where they are stored. If you don’t know what personal data you hold and where they came from you should conduct an audit. You should document the findings, as GDPR requires you to keep records of your processing activities including sharing data with third parties.
3. Update your privacy notices
You may well already have privacy notices, required to tell individuals, in a concise and clear way, how you intend to use their data. These will need to be updated for GDPR to give additional information such as how long you will keep the data for and your lawful basis for processing. You can find guidance on GDPR-compliant privacy notices on the ICO website.
4. Check your processes meet individuals’ new rights
GDPR gives people many more rights over their data, in particular the right to be forgotten (to have all one’s personal data deleted), right to object to certain types of processing and right to portability. You need to understand the new rights and have processes in place to accommodate them.
5. Know how to deal with ‘subject access requests’
Individuals’ rights to access their personal data exists already, but the threshold (albeit nominal) payment required to implement the request will disappear. There will therefore be little discouragement to anyone making a request, and often these are used as a way to cause disruption as part of other grievances.
6. Identify your ‘lawful basis’ for processing data
You may only process data with a ‘lawful basis’ to do so. Often organisations rely on consent as their lawful basis, but it’s important to remember there are others, such as being necessary to deliver a contract with the individual or having a legitimate interest to process (provided the individual’s rights are not compromised). You have to document the lawful basis on which you rely, and it’s worth relying on bases other than consent because consent may always be withdrawn.
7. Review how you get consent to use personal data
If you have to rely on consent, you need to review how you obtain and manage that consent. GDPR says that consent must be freely given, specific and easily withdrawn. This means that individuals must positively opt in – opt-outs, such as pre-ticked boxes, silence or inactivity will no longer work.
8. Be ready to report personal data breaches
GDPR introduces a duty to report certain types of data breach (meaning their destruction, loss or unauthorised access) to the ICO and in some cases to the individuals concerned. You must be able to show you have procedures in place to investigate, detect and report data breaches.
9. Build data protection into new projects
GDPR makes ‘privacy by design’ a legal requirement, meaning building data protection into all new projects and services. This may require a data protection impact assessment to be undertaken.
10. Decide who will be responsible for data protection in your organisation
For some organisations, such as public authorities or companies carrying out large-scale processing, GDPR requires appointment of an independent Data Protection Officer. As an architect’s practice this would not apply, but nevertheless you should appoint someone internally to take responsibility for compliance.
Text by Darren Heath, RIBA in-house lawyer © RIBA. This is a ‘Practice News’ post edited by the RIBA Practice team. The team would like to hear your feedback and ideas for Practice News: firstname.lastname@example.org.
Posted on 21 September 2017.