This is a non-tax specific article, but it is regarding an issue that potentially affects us all in practice. Yet more red tape to tie us in practice or an important safeguard – we will let you decide!
GDPR stands for General Data Protection Regulation and is a term that we are starting to hear more and more as companies and individuals start to think about what it means for them. StayPrivate have kindly provided an overview of what GDPR means in practice for your organisation and we wanted to share it with you.
GDPR is an EU Regulation that applies to all member states. We consider the impact of Brexit below, but for now GDPR applies to the UK.
GDPR is not something business entities can ignore – the maximum fine for failing to comply is €20,000,000.
So, what is GDPR and when does it take effect?
GDPR comes into force on 25th May 2018. It reflects the increasing importance of personal data and data security since the previous Data Protection Act was enacted in 1998, and it substantially tightens and toughens the requirements on businesses storing, sharing, sending and receiving the personal data of EU citizens.
Personal data is defined to be “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Businesses are required not only to comply with, but to demonstrate their compliance with GDPR. Businesses are also expected to implement measures to ensure that data protection is designed into the development of business processes for products and services, adhering to the principles of Privacy by Design and Privacy by Default (Article 25). Such measures may include data pseudonymisation or encryption (Recital 78).
8 things you need to know about GDPR
- You need to explain to clients via updated privacy notices why you are collecting data, what you will be doing with it, how long you will keep it, who will have access to it, and where it will be stored. You also need to implement a two-step confirmation process from your clients to confirm they have understood the above.
- You need to think about what personal data is stored where and how it is shared both internally and externally. You should start to map customer journeys and contact strategies highlighting every point personal data is captured, stored and shared.
- You need a detailed plan documenting how you will deal with a data breach. Make sure that you have processes in place to detect a breach, assess where the breach occurred, stop further breaches and to communicate the breach to all customers affected with 72 hours.
- Customers have the right to know what personal data you hold and to request an electronic copy of it at any time. You need to have processes in place to be able to locate and deliver the data securely and in a usable electronic format within 30 days.
- Clients also have the right to demand that all their personal data be deleted (within certain parameters) and that proof of such deletion is provided to them. You will need processes in place to locate and delete the data.
- GDPR applies to your external communications as much as it does to your internal processes. Sharing of personal data such as name, address, age etc. needs to be done securely, either by encrypting or pseudonymising the data. If you send or receive data from clients or other external contacts via email, you will need to ensure that it is properly encrypted.
- If you have not already done so, it would be an excellent idea to appoint a Data Protection Officer. The DPO should be responsible for checking through the new regulation, documenting what new procedures you need to put into place to comply with the new regulations, and ensuring that they are implemented correctly and adhered to on a day-to-day basis.
- Instruct your DPO to brief all of your staff on the importance of complying with the GDPR. Encourage all staff to think of personal data as a valuable commodity which needs to be protected constantly and that can only be used for the purpose for which it was obtained.
So, GDPR is an EU Regulation – what about Brexit?
Yes, the UK is leaving the EU - but the UK government has not yet triggered Article 50, which sets in motion the act of leaving the EU within a two-year timeframe (though it could take longer). This means the GDPR will take effect before the legal consequences of the Brexit vote, meaning the UK must still comply for the time being.
Karen Bradley, secretary of state for Culture, Media and Sport, said recently "We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public."
The UK government put forward a new Data Protection Bill in August 2017 that largely mirrors GDPR's own requirements. Once passed, this legislation will seek to answer the question of how the UK will protect data once GDPR no longer applies after Brexit - by basically copying the European legislation into British law.
Many thanks to StayPrivate for helping with this briefing, which we hope you find useful. StayPrivate provide QUORUM, a cloud-based communication solution which helps businesses of all sizes communicate over the internet conveniently, securely and compliantly. If you would like an introduction to them, please let us know.