Organisations across the United Kingdom will need to comply with new legislation as the General Data Protection Regulation (GDPR) comes into effect on 25 May 2018.
With time ticking to bring your organisation into a state of compliance with the new regulations, it is crucial to start preparing as soon as possible.
Harpreet Sandhu, partner and solicitor at Nelsons Solicitors, explains what could happen if organisations fall foul of the law.
What is GDPR and when does it take effect?
The European Union’s new regulations will come into force on 25 May, 2018. The regulation – introduced to replace the Data Protection Act – aims to help people to monitor and control how organisations use their personal data.
Strict rules mean organisations will not be allowed to collect and use personal data – such as a person’s name, email address and phone number, as well as internet browsing habits collected by website cookies – without a permitted legal basis (such as the person’s consent) set out in the GDPR.
Organisations must be completely transparent about what personal data is collected, how it is used, who it is disclosed to and how long it is kept. Individuals will be able to ask for a copy of all personal data held about them, which must be supplied within 30 days, free of charge.
In some cases, they can ask for any personal data to be deleted in a formal “right to be forgotten” right. Organisations must also report data breaches, such as cyber-attacks and accidental leaks, to authorities within 72 hours under certain circumstances.
How will GDPR affect my business?
All organisations in the UK that handle personal data will need to comply with the new legal framework. GDPR compliance in itself is going to be a large project for a lot of organisations as they will need to prove they comply with the regulations. Practically, organisations will need to keep records of their compliance.
The requirements for consent will be tightened with the introduction of GDPR. Clear, positive consent will be needed – silence or pre-ticked boxes on a website will not constitute valid consent from a customer.
What are the penalties for not complying with the new GDPR rules?
Fines will depend on the seriousness of the breach – but can reach £17.5 million or four per cent of global annual turnover, whichever is higher.
Will GDPR still apply after Brexit?
Yes – the government has said the same rules will continue to apply after the UK formally leaves the European Union (EU). The UK has been a huge supporter of GDPR standards and the GDPR will automatically become law in the UK on 25 May.
After the UK formally leaves the EU the UK will very likely enshrine the GDPR into UK statute. Even if it does not, any organisation promoting their goods or services to EU citizens will still have to comply with the GDPR.