GDPR – How Will it Affect my Business?

All businesses have paper and/or digital records of data relating to their customers and employees: names, addresses, emails and other personal information.

On 25 May 2018, the General Data Protection Regulation (GDPR) becomes law. The GDPR sets new standards for data protection and its enforcement. It restates what is meant by data and how that data should be collected, managed, stored and secured.

While GDPR consolidates existing data protection principles, it significantly strengthens the rights of individuals (data subjects) in relation to data held about them including how they can access, rectify and have that data erased (“the right to be forgotten”).

A key decision for any business planning for GDPR will be to identify the lawful basis upon which they are going to process personal data. Much of the hype surrounding GDPR relates to “consent” which we will turn to shortly. However, consent is just one of a number of lawful grounds for which GDPR permits the processing of data. Other legitimate grounds are:

  • Contract – for performance of a contract with a data subject or to take steps to enter into a contract
  • Compliance – for compliance with legal obligations
  • Vital interests e.g. where necessary to protect a person’s interests or life
  • Public task – for the protection of public interests or in the exercise of official authority
  • Legitimate interests – to fulfil the legitimate interests of the data controller except where those are overridden by the interests of the data subject

Except for direct or indirect marketing then, the received wisdom is that consent should only be used as a condition for processing personal data where none of the other above grounds apply.

Consent already exists as a concept under the current data protection regime and GDPR actually makes it more difficult to obtain consent to the processing of data. Whereas organisations already need to obtain consent before sending marketing communications (e.g. the pre-ticked box), GDPR requires that consent is be freely given, specific, informed, properly documented and easy for people to withdraw. The use of pre-ticked, opt-out boxes will no longer be permitted as a method of obtaining consent to receive marketing material.

Even where a lawful basis for processing has been identified, you still need to audit the information held to ensure its accuracy. Internal procedures should be reviewed to ensure that there are the correct resources to manage and protect the information on a continuing basis. There should also be a very clear privacy policy in place.

For the first time, GDPR also introduces the requirement to report data breaches. A data controller has 72 hours from becoming aware of a loss of customer details which could leave that individual open to identity theft to report that loss to both the individual and to the Information Commissioners Office (ICO).

Another fundamental difference between the current regime and GDPR is enforcement. Pre-GDPR, the maximum fine which the ICO could impose for a data breach is £500,000. Under GDPR, the maximum fine will be €20Million or 4% of turnover, whichever is greater.

Undoubtedly, GDPR brings in significantly more robust data protection rules and will require all businesses to review and develop their existing data protection policies and procedures. But remember that the core purpose of GDPR is to ensure that all businesses adhere to what should already be best practice.

The ICO’s website contains a lot of essential information about GDPR and will be an invaluable resource for anyone tasked with ensuring that their business is GDPR-ready in time for 25 May 2018.

The content of this blog is for information only and should not be construed as legal advice or treated as a substitute for specific advice given by Mitchells Roberton.

This entry was posted in In The News, Legal by Paul Neilly. Bookmark the permalink.

About Paul Neilly

Paul’s first degree was a BA Honours in Financial Services following which he spent five years working for a large insurance company as a pensions specialist. He then completed his law degree at the University of Strathclyde and Diploma in Legal Practice at the Glasgow Graduate School of Law. Paul subsequently joined Mitchells Roberton as a trainee in July 2006 and qualified as a solicitor in September 2008. Principally concerned with civil litigation, Paul specialises in contract disputes, landlord and tenant issues (commercial and residential), debt recovery, family law, employment law and personal injury claims. He also handles cases involving Adults with Incapacity. Paul regularly appears in the Sheriff Courts throughout Scotland and has experience of appearing before Licensing Boards and instructing matters in the Court of Session. Being a general civil litigator Paul is keenly aware of the need to keep step with developments in the law and legal education. This led Paul to join the committee of TANQ, the Trainee and Newly Qualified Society of the Royal Faculty of Procurators in Glasgow, in which role Paul currently organises seminars and networking events for its members. Paul is married with a young son and daughter. In his spare time he enjoys cooking, reading and watching sport, particularly following the exploits of the national football and rugby teams, although this is more of a vocation than a source of enjoyment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s