While most business are aware that the data protection landscape is due to change in May 2018, the extent of these changes and the steps that should be taken to ensure compliance are still largely unknown.
The main changes that will be implemented by the new General Data Protection Regulation (GDPR) include:
- Wider application – the new GDPR not only applies to EU businesses processing personal data, but also extends to non-EU businesses that offer goods and services to customers in the EU;
- New obligations for data processors – under the old regime, no obligations were imposed directly on data processors;
- Enhanced rights for data subjects – these rights include a new right for an individual to request that their data be transferred from one service provider to another (“right to data portability”);
- Requirement to maintain processing records – for businesses employing more than 250 employees, a requirement to maintain records of processing activities – this requirement applies to both data controllers and data processors;
- Stricter breach notification requirements – this includes requirements to notify the ICO (Information Commissioner’s Office) and individuals of data security breaches;
- Greater sanctions for non-compliance – maximum fines of €20 million or 4% of the total worldwide annual turnover.
In order to ensure compliance with the new GDPR, businesses should carry out a review of their existing data protection practices and policies to determine where changes need to be made.
In certain situations, businesses may also need to appoint a data protection officer who is professionally qualified and has expert knowledge in the field of data protection.
Businesses should also integrate data protection into their system and product designs (“privacy by design”) and implement measures to ensure that they only process personal data necessary for a certain purpose (“privacy by default”). All staff involved with data processing should also be provided with regular training and information in relation to data protection.
If you wish to discuss any of the issues raised in this article or would like assistance with complying with the new GDPR please contact Rebecca Anforth, head of Intellectual Property, on 01872 226999 or firstname.lastname@example.org.