Brexit or no Brexit, the EU’s GDPR is unavoidable for UK companies. Sara Meyer explains the fundamentals of the new legislation.
The new data protection regime introduced by the EU General Data Protection Regulation (GDPR) will take effect in the UK from 25 May 2018.
While most companies have got to grips with the basic requirements of data protection law over the past 20 years (e.g. keeping data secure, restricting data retention periods, and handling subject access requests), the GDPR really ups the ante.
With just weeks to go, we look at what companies should be doing to prepare for the new data regime.
Fundamental principles
The principles of the GDPR, identifying how personal data should be handled and used, are largely based on existing law – for example, personal data should only be used fairly and lawfully, and should not be kept for longer than necessary.
However, the GDPR also introduces various new obligations, such as requirements to:
- Build in data protection ‘by design and default’ – effectively, putting data protection considerations at the heart of your processes
- ‘demonstrate’ compliance – i.e. it’s not enough for a company to comply with the law, it must also be able to provide evidence that it has done so.
The importance of compliance is underlined by the significant potential penalties for breach, which include fines of up to €20m or 4% of an organisation’s global turnover, whichever is higher.
The GDPR will be enforced in the UK by the Information Commissioner’s Office (ICO).
This article first appeared in the April issue of The Manufacturer magazine. To subscribe, please click here.
No Brexit opt out
Brexit will not affect this, as the GDPR will apply directly in the UK before we leave the EU, and the Data Protection Bill currently progressing through Parliament is intended to bring the GDPR into domestic law in readiness for our exit.
The GDPR regime is so onerous that achieving full compliance by 25 May is unlikely to be possible for most companies – nevertheless, it’s imperative that companies take steps to get as close as possible to compliance.
The first step, if companies haven’t done so already, is to conduct an audit to understand (among other things) what personal data they process, for what purposes and on what legal grounds.
This information will help companies to produce their most essential GDPR documents – namely:
- Privacy Notice – informing individuals how the company uses their personal data
- Retention Policy – explaining how long the company might keep individuals’ personal data
- Data Protection Policy – explaining how the company complies with its GDPR obligations and how it expects employees who handle personal data in their jobs to comply
- Record of Processing – detailing how the company uses personal data (this is an internal document, but must be shown to the ICO on request)
Companies should also ensure they have access to a Privacy Impact Assessment (PIA) template, which they must use to assess data protection risks in certain circumstances.
Help from EEF
EEF have produced templates for each of the above essential documents for your company’s HR department.
You can obtain details of how EEF can help with this new legislation by seeking the help of our legal teams.
For further information, visit: www.eef.org.uk
Sara Meyer, senior legal adviser, EEF