We’ve been hearing a lot about the General Data Protection Regulation (GDPR) for weeks, but the waiting is almost over. With 2 weeks until the biggest change in data protection for over 20 years takes effect, here is a short summary of some of the changes afoot:
The 6 key principles in the GDPR are that businesses must comply with key data protection principles, if they process personal data. Specifically:
- Personal data shall be processed fairly, lawfully and transparently.
- Personal data shall be obtained for one or more specified purposes and not processed inconsistently with that purpose or purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the processing in question.
- Personal data shall be accurate and up to date.
- Personal data shall not be kept for longer than is necessary.
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Data protection is nothing new, but the impact of the new GDPR raises several key issues. Here we highlight just a few of them:
Issue 1: Concerns enforcement and penalties, which are significantly higher than the current capped £500,000 per offence.
Issue 2: Consent must be ‘freely given’, ‘specific and informed’ and unambiguous. The ICO website contains draft consent guidance (March 2017) which we recommend reading. In short, consent must be opt-in consent, failure to opt-out is not consent.
Issue 3: Data security breaches must now be reported, and an escalation process documented.
For specific help and advice on GDPR we recommend seeking the help of a GDPR professional. See the ICO website for further guidance: https://ico.org.uk/