The General Data Protection Regulation (GDPR) is a comprehensive data protection regime which will start to be enforced in the UK in May 2018. The penalties for non-compliance can be very substantial – for serious breaches, up to 4 per cent of global turnover or €20 million, whichever is the higher – and it imposes significant compliance issues for any organisation which holds protected data. Although it is European legislation, the Government has indicated that it will remain on the UK statute books after Brexit.
What is Protected Data?
The data protected under the GDPR is personal data – that which relates to an identifiable person. Generalised data is not covered unless possession of that data allows a person to be identified. However, organisations hold a great deal of information which is sensitive and confidential (such as turnover by category of goods, for example), so the need to comply with the GDPR also gives management the opportunity to think seriously about data protection and security generally.
Key to the GDPR is the concept of 'data protection by design', so that data protection risks are considered at all steps of data handling and storage.
The minimum necessary amount of personal data must be collected and it must be processed for a specific purpose and for that purpose only. In addition, access to data must be restricted to only those personnel who are necessary for the purpose and data should not be retained for longer than is necessary.
There are substantial rights given to individuals as to how information about them is collected and held.
As a first step, make sure everyone in your organisation who has access to or processes personal data is aware of the GDPR and the need to comply with its requirements. This may involve specialist training and almost certainly will necessitate reviewing procedural manuals and possibly terms and conditions of contracts.
The list below contains the 'bare bones' of compliance – there will be additional issues if you export data abroad, make use of 'bought-in' data or share your data. You may need to appoint a data protection officer to have responsibility for and control over GDPR compliance. Some types of data breach will need to be disclosed to the Information Commissioner's Office (ICO).
- Create a record of the personal data you hold, its origin and with whom it is shared;
- Conduct a risk assessment covering each of the above, assessing the risks of breach of the GDPR;
- Create a plan to minimise the risks for all the personal data held;
- Ensure specifically that you have obtained informed consent of the recipients of mail on your mailing lists. If you do not have the consent of individuals to be on your mailing lists, remove them. Ensure individuals cannot be added if you do not have informed consent;
- Create a procedure to ensure you can comply with subject access requests which does not compromise the safety of any other data;
- Create a documented set of procedures showing how you comply with the GDPR; and
- Create a system for detection and investigation of any breaches of data security.
There is more information on the GDPR on the ICO website. The section on the rights of the individual warrants special attention by anyone carrying information about individuals.