Is Your Business Ready For GDPR? – New UK Data Protection Legislation 25 May 2018

What is GDPR?

General Data Protection Regulation (GDPR) is the new EU regulation which will come into force in the UK on 25 May 2018. This will supersede and strengthen current data protection legislation,  the Data Protection Act (1998),  by introducing stringent new obligations for businesses and organisations and increasing rights for individuals.

GDPR

Under the new legislation there will be increased fines, breach notifications, opt-in consent and responsibility for data transfer outside the EU. As a result, the impact to businesses will be huge and will permanently change the way customer data is collected, stored, and used. The GDPR will be implemented through a new UK data protection bill in preparation for Brexit.

Which Businesses Or Organisations Does GDPR Apply To?

GDPR applies to all businesses and organisations in the UK  holding and processing EU resident’s personal data, regardless of geographic location. Any business which handles personal data  MUST  put in place  key measures to meet the new requirements by 25 May 2018.  If a business or organisation offers goods or services to, or monitors the behaviour of EU residents, it must  also meet all  GDPR compliance requirements. GDPR will apply to businesses that are outside of the EU but continue to provide services to individuals from EU Member States, so will be applicable even after Brexit.

What Data Will Be Covered Under GDPR?

Data categories are being expanded under GDPR to include;

‘Personal’  data:

  • An individual’s identification number (no further guidance is provided on this but in the UK it may include an individual’s National Insurance number or any other general numbered/lettered identifier)
  • An individual’s location data
  • An individual’s online identifier (this would include an individual’s IP address or cookie identifier)
  • Factors relating to physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

‘Sensitive Personal’ data:

  • Data which relates to racial or ethnic origin, political and religious, philosophical beliefs, trade union membership, physical or mental health, sex life or sexual orientation or criminal record. The GDPR calls sensitive personal data ‘special categories of data’ and includes all the categories listed above with the addition of genetic and biometric data that uniquely identifies an individual. The GDPR does not include criminal records as ‘special categories of data’ although currently, criminal records constitutes sensitive personal data under the Data Protection Act

What Rights Will Individuals Have Under GDPR?

Individuals Will Have The Right To:

  1. Give explicit consent for the processing of their personal data
  2. Withdraw consent for further processing
  3. Be notified of a data breach
  4. Ask an organisation to erase all their personal details (the ‘right to be forgotten’
  5. Transfer their data to another organisation
  6. Ask for incorrect data to be amended transfer their data to another organisation
  7. Know how their data will be used be notified of a data breach withdraw consent for further processing

Steps Businesses Should Be Taking To Prepare For GDPR

  1.  Awareness – Make sure decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have
  2. Audit – Carry out an information audit to assess how you manage personal data and document what personal data you hold, where it came from and who you share it with
  3. Review  data processes and develop a procedure to record data processing activities
  4. Review data security procedures to ensure you are taking sufficient steps to keep personal data secure – review your current privacy notices and put a plan in place for making any necessary changes
  5. Consent – individuals must have freely given explicit consent to store and use personal information. – review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard
  6. Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it
  7. Check procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format
  8. Assess how you handle subject access requests to ensure you will be able to process these for free and within one month
  9. Discuss the implications of the GDPR with companies in your supply chain and gain confirmation of compliance and update contracts
  10. Train staff to handle personal data correctly
  11. Have the right procedures in place to detect, report and investigate a personal data breach
  12. Consider appointing a data protection officer with responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements
  13. International – If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority

Non-Compliance Penalties For Businesses

  • Businesses will need to comply with the GDPR from 25 May 2018 or face steep penalties 
  • Fines for non-compliance are large. Breaking the rules could lead to fines of up to as much as  £17m or 4% of a company’s total global revenue, whichever is larger. This is the maximum fine that can be imposed for the most serious violations, e.g. not having sufficient customer consent to process data or violating privacy. The current maximum fine firms can suffer for breaking data protection laws is £500,000.
  • However, there is a tiered approach to fines, e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors

Contact

Ten Live Group
Award-Winning Global Recruitment

Logistics, Industrial, Rail, Education, Healthcare, IT, Technical (Engineering, manufacturing, Telecoms, Aerospace, Construction, Defence and Automotive), Energy Oil & Gas, Professional / Executive, Accountancy / Finance,  Sales and Marketing, Office, HR /  Training, Food and Drink

Contact our expert recruiters to find out how Ten Live can attract and source top candidates for your organisation.

Tel: + 44 1236 702 007
E-mail: info@tenlivegroup.com

Sources

REC

REC

REC

FORBES

ICO

ICO 

 

Leave a Reply

  • (will not be published)

Blog resources to help you

Awards/Accreditations

Get in Touch

EmployerJob Seeker
Upload CV or Job Spec
+
+
+
+
[honeypot other-name]

Please tick to consent to your data being stored inline with the guidelines set out in our privacy policy

I have read the privacy policy and I agree

If you have a general enquiry or would like to contact a Ten Live consultant, please complete the form or use the contact details below.

Job Listings      

 

 

 

GENERAL ENQUIRIES: info@tenlivegroup.com

LOGISTICS: logistics@tenlivegroup.com

EDUCATION & TRAINING: education@tenlivegroup.com

ENERGY | OIL & GAS | RENEWABLES | MARITIME | POWER & UTILITIES: energy@tenlivegroup.com

ENGINEERING & TECHNICAL: engineering@tenlivegroup.com

HEALTHCARE: healthcare@tenlivegroup.com

ACCOUNTS: accounts@tenlivegroup.com 

PAYROLL: payroll@tenlivegroup.com