What are the requirements?

From 25th May 2018, every UK business, with EU Citizens as customers, will need to comply with the new data protection laws as set out by the General Data Protection Regulation (GDPR). GDPR was approved by the European parliament in 2016, allowing two years for organisations to comply with the new legislation.

 

GDPR will replace the current EU Data Protection Directive from 1995, bringing it up to date with how companies use the Internet and cloud technology, making provision for the new, previously unforeseen ways companies are gathering and using personal data.

 

The UK Data Protection Act 2018 was enacted post-Brexit as the UK version of the GDPR and applies to ALL UK Companies.

 

This new legislation is designed to protect and empower all EU citizens and UK citizens, offering improved control and transparency over how their personal information is held & used.

 

Click here to see how infoRouter can help you with Regulatory Compliance

 

How could Data Protection Laws affect your organisation?

Broadly speaking, Data Protection Laws will affect every organisation that holds or uses personal data, including companies outside of Europe. So any kind of personal data, including IP addresses and other online identifiers, must be processed transparently and when required, deleted.

 

Data Protection Laws talk about both Data Subjects, Personal Data, Controllers and Processors in their guidelines. If you’re unsure of the terminology, please read The UK Data Protection ACT 2018 & GDPR summary definitions

 

You may fall into either category or both, but you’ll still need to ensure you’re compliant, and with the enforcement date looming, it’s important that every organisation knows exactly what they need to do to avoid hefty fines.

 

Key Changes

1. Penalties for non-compliance are either 4% of a company’s global revenue or €20m.
2. If a data breach occurs, notification needs to occur within 72 hours. Failure to do so could lead to a €10m fine or 2% of your annual worldwide revenue.
3. Clear and plain language must be used when requesting consent for the use of personal data, so any illegible T&Cs full of confusing and obtuse
4. language will need to be revised. You also can not offer pre-ticked boxes or ask to perform an action to opt-out. Instead, clear, affirmative consent needs to be obtained before using personal data.
5. Data controllers need to make it easy for data subjects to withdraw consent to use their data.
6. If requested, data controllers need to provide a data subject with a free-of-charge copy of their personal data in an electronic format.
7. Data must be saved in commonly used file formats like CSV, so they can be moved to other organisations (within one month) free of charge if a data subject requests it.
8. Data subjects can exert the right to be forgotten. This Data Erasure means that:
   a) controllers must delete any data that are no longer being used for the purpose it was collected for;
   b) if a data subject revokes the right for that organisation to hold their data, all personal data must be deleted.
9. As a data controller, you can only hold and process data that is absolutely necessary for the completion of your duties.
10. If you are a public authority, a company processing large amounts of sensitive data or you carry out large-scale monitoring of individuals (for example, online behaviour tracking), you’re required to appoint a Data Protection Officer.

How did Brexit change things for UK organisations?

Organisations with customers in the European Union will still need to comply with GDPR regardless of the UK's status within the Union. Post-Brexit the UK government enacted the UK Data Protection Act 2018 and it’s very similar to GDPR, so, post-Brexit, UK data is still protected in much the same way. The UK Data Protection Act 2018 largely includes all GDPR European privacy laws and is the UK view of GDPR when it entered the UK statute books post Brexit. See  UK Data Protection Act 2018 & GDPR

 

Compliance with Data Protection Laws

The amount of work involved to comply with Data Protection Laws will vary depending on a number of factors: how much you use marketing data and how you communicate with your prospects (e.g. email & telephone marketing to potential customers), and if you’re already working in line with industry best practices for data protection. 

 

Regardless of your businesses activity, if you use personal data you’ll need to review the way you work and implement the necessary changes as soon as possible to ensure compliance; you may even need to seek expert advice (as we did here at Document Genetics) if you are unsure how to remain compliant. We wrote this GDPR WhitePaper after seeking professional advice which you may find useful.

 

In Conclusion

Recent Data Protection Laws are the biggest shake-up of data protection laws for over 20 years and fundamentally changes the way organisations can store and use data. Furthermore, it places the data subject's rights at the very centre of data protection regulations - Organisations no longer own personal data but, should instead, consider themselves as custodians of such data.

 

The use of technology alone will not ensure compliance to Data Protection Laws, but Document and Records Management software (DMS / EDMS), such as infoRouter, can play a key role in the following areas in complying with Data Protection Laws:

1. The right to be forgotten
2. The right of access
3. The right to data portability
4. Breach notification standards
5. Privacy by design

With this in mind, we have written a GDPR WhitePaper which considers the useful role of Document and Record Management Systems with regard to Data Protection compliance.