Data protection reforms – what do I need to know and when?

Wake Smith Solicitors 05 June 2017

Data protection reform is less than a year away.

If you are a business owner or key decision maker or involved in compliance you need to know now  what is coming so as to plan for it.

Wake Smith director Holly Dobson, who specialises in employment, data protection, and dispute resolution, looks at the headline changes and asks if you are ready?

The reforms apply from 25th May 2018.  This is the date when the General Data Protection Regulation (“GDPR”) takes effect – so that’s less than 160 working days from now.

  • If you are 100% compliant with the current Data Protection Act, you are in a good place to start. Are you in a position to say that or do you need to play “catch-up” fast?
  • GDPR applies to data processers as well as data controllers. Some businesses won’t have a compliant model to build on.
  • There will be mandatory self-reporting of breaches. Yes, you’ve read this right and what’s more within the 72 hours of the breach.
  • There will be a mandatory requirement to contact all potentially affected data subjects promptly in the event of a breach.
  • Fines up to the greater of €20million or 4% annual global revenue will be imposed. If nothing else grabs your attention this should.  Even if your business survives any publicity that arises, can it survive the fines?  If it can, what will be the effect be on profitability?
  • There will be a mandatory requirement to appoint a Data Protection Officer in some businesses and across some sectors.
  • The current compliance principles will be replaced with new ones. As a result, there will be a transformational change to governance and compliance.  You will find a greater emphasis is placed on accurate documentation enabling audits of your compliance.
  • New data subject rights and an enhanced emphasis on existing data subject rights will come in. These rights include the right to free data subject access requests to be complied with within a month.  All new and enhanced data subject rights, of which this is only one, apply equally to your customers or clients and to your employees.
  • Privacy notices and consent. One consequence of the changes will be a greater focus on the processing of data that you do and your explanation as to the lawfulness of what you do. You should “future proof” your processes now.
  • Data Protection by Design and Data Protection Impact Assessments. Putting privacy at the heart of all that you do will be the effect of the reform.  That is what they have been designed to achieve.  The reforms make Data Protection Impact Assessments mandatory in certain circumstances.

Mandatory Self Reporting

We are all in for a culture shock from the morning of 25 May 2018. From then on we have to report a data breach to the regulator within 72 hours.   What’s more there are very few exemptions.

It is not just the fact of the breach report which will impact on us all, but the level of detail we will have to report will place the organisation’s compliance model under the spotlight.

From that first breach the details that must be reported will provide evidence to the regulator of our business culture; policy and procedures; training and awareness in connection with our data and the circumstances of the data breach.

By its very nature we will all be ensuring that the regulator knows which businesses and which sectors to target. 

Data Protection Officers

A designated Data Protection Officer will be mandatory for public bodies, and also for businesses where the core activities are large scale, regular and systematic monitoring of data subjects. Also, where the core activities are large scale processing of special categories of data, so this includes issues relating to health information, for example.

The obligations of the Data Protection Officer are set out in detail in GDPR and this is an important role which requires support and resource from the organisation concerned. 

Need help?

The good news is that there is plenty help on hand to prepare for the reforms.

The Information Commissioners Office (“ICO”) have a good landing page and they have just updated their “12 Initial Steps To Take Now” leaflet.

Wake Smith is running a series of free seminars in 2017 to help businesses prepare. So far these have been fully booked but keep a look out for further events on our website or contact [email protected]

We are designing in-house training on the issues for some clients and are happy to discuss your organisation’s budget and needs.  

For a discussion on how GDPR will impact your particular business and for any further assistance, contact [email protected]  

Tags

Archive

December 20245November 20245October 20246September 20245August 20245July 20243June 20243May 20245April 20242March 20247February 20242January 20248December 20236November 20232October 20233September 20232August 20234July 20232June 20235May 20237March 20234February 20235January 20233December 20225November 20224October 20224September 20223June 20221May 20227April 20223March 20223February 20223January 20224December 20214November 20213October 20214September 20216August 20212July 202111June 20218May 20216April 20212March 20218February 20218January 20219December 20208November 202013October 20208September 20208August 20203July 20208June 202016May 202011April 20206March 202016February 20208January 202011December 20199November 20199October 201911September 20195August 20194July 20196May 20198April 20196March 20193February 20195January 20194December 20186November 20185October 20182September 20185August 20184July 20189June 20184May 201810April 20185March 20184February 20184January 20183December 20175November 20178October 20177September 20179August 20175July 20176June 201710May 20175April 20178March 201711February 20176January 201710December 20169November 20167October 201610September 201610August 20166July 20167June 20163May 20162April 20166March 20162February 20164January 20165December 20153November 20155October 20156September 20156August 20157July 20157June 20157May 20156April 20159March 20156February 201510January 20156December 20145November 20144October 20142September 20143May 20144March 20146February 20144January 20142December 20132November 20133September 20134July 20132June 20132May 20133April 20131March 20133February 20133January 20136December 20121November 20123October 20122August 20122July 20128June 20123April 20123March 20121January 20124December 20112November 20111October 20112September 20113August 20113July 20117June 20119May 20117April 20115March 20119February 20118January 20111December 20101October 20102September 20102August 20103July 20106June 20101May 20102April 20106March 20102February 20103January 20102December 20095November 20092October 20092September 20092August 20091July 20095June 20095May 20093April 20093March 20093February 20091January 20092November 20082October 20082September 20081August 20083July 20081January 20082

Featured Articles

Contact us