Preparing for the new General Data Protection Regulations
By Dermott Thomas
Several high profile leaks from major institutions such as Mossack Fonseca, the international law firm, have caused huge embarrassment to both individuals and governments with the exposure of personal embarrassing information. UK banks have also been caught up in high profile leaks as have government departments.
From 14 April 2016 the European Parliament approved the draft General Data Protection Regulations (GDPR) which will have direct effect in this country, superseding the existing Data Protection Act.
A headline provision is the lifting of the existing £500,000 maximum fine to one of up to €20 million or up to 4% of the offender’s total worldwide turnover, whichever is higher.
There is a long lead in to the introduction of the regulations in May 2018 with the stated objective of getting companies to focus on getting their compliance right before then.
The regulations represent a sea change in terms of strict procedural requirements and the Information Commissioner’s Office has already published guidance to help organisations prepare for the implementation of the GDPR. These include ensuring awareness of the new regulations at the highest level of organisations, ensuring tight procedures are in place, ensuring clear lines of responsibility for compiling information consistent with individuals’ personal rights and breaches as well as reviewing how consent is sought, obtained and recorded, making changes where necessary.
The stated objective of the regulations is to put individuals in control of their data. Therefore the giving of consent for the use of personal data must meet very high standards.
- It cannot now be bundled with a sign off of general terms and conditions.
- The consent must be capable of being easily withdrawn at any time.
- Consent should not be presented as a “take it or leave it” option otherwise it is not freely given.
Various rights of the individual are enshrined in the new regulations, including a right to object to data processing together with rights of access, rectification and/or erasure of the information.
Companies should start bringing in revised and improved systems now to comply with the regulations as there is unlikely to be any good excuse not to be compliant by the time they are implemented in 2018.
This article originally appeared in the May edition of Business East.