GDPR: What businesses need to know

With less than six months left until the General Data Protection Regulation (GDPR) comes into effect, Rosemary Lundy and Lynsey Mallon, Partners at leading law firm Arthur Cox, examine what preparations businesses must make ahead of the introduction of the new data protection rules in May 2018.

It is set to be the most significant change to data protection rules in more than 20 years, and, if they haven’t already, businesses must begin preparing now to ensure they are fully compliant with the General Data Protection Regulation (GDPR) before it becomes effective on 25 May 2018.

The regulation, which will apply to all firms, is designed to provide a greater level of consistency in terms of how data is protected across Europe.

Irrespective of the outcome of Brexit negotiations, GDPR will be introduced across all EU countries. In the UK, it will be aligned to some of the key concepts and principles contained in the Data Protection Act 1998, although there are some changes that businesses need to be aware of.

Part of the regulation will focus on ‘key coding’ or ‘pseudonymous data’, which is a measure to make data more difficult to decipher, should it be inadvertently released, thereby reducing the risk to the individual concerned.

New levels of scrutiny will be added to the use of profiling, such as online tracking and behavioural advertising – tools commonly used in marketing and advertising.

There will also be a new standard of consent introduced, defined as ‘any freely given, specific, informed, unambiguous indication of the data subject’s wishes’, which will likely rule out a dependence on silence, pre-ticked boxes, or inactivity.

Individuals will reserve the right to object to their personal details being processed
and moved directly from one data controller to another.

New time limits on the supply of requested information will be introduced, with the current 40 calendar days to be replaced by a limit of one month, and the information to be provided free of charge.

There will also be new liability under GDPR for those organisations that process data. Any data breaches must be notified to the supervisory authority (the Information Commissioner’s Office) without undue delay and, in any case, within 72 hours.

Organisations that have not already started the process of preparing for GDPR should prioritise conducting a data audit, and ensuring transparent internal policies are in place that integrate safeguards into processing, such as encryption.

Firms will be expected to consider state-of-the-art technology and implement appropriate technical and organisational measures in order to adhere to the new standards. They will also be required to have procedures for redressing poor compliance and breaches, whilst for public sector organisations (and some private companies), a Data Protection Officer must be appointed to oversee compliance.

The costs for not complying with the new rules are considerable, with the potential for fines of up to £18 million, in addition to having to cover the costs of compensation for affected parties.

Seeking expert legal advice will help businesses to reduce their risk of a data breach in the future, and help them avoid the financial penalties and associated negative publicity that would come with non-compliance.

The wide range of advisory teams at Arthur Cox are well positioned to advise on all legal requirements. Call +44 28 9023 0007 for further information from Rosemary or Lynsey, or your regular Arthur Cox contact.