An overhaul in EU data protection regulations is due to become law in May 2018 with the new EU General Data Protection Regulation and companies in the UK are being advised to put in place everything they need to achieve well in advance of this date to ensure they are fully compliant with the new regulations.
Some business owners may have wondered if Brexit has saved them from having to make the relevant changes but as the UK will still be part of the EU when the new rules come into play they will still have to comply. Add to that that any companies outside the EU that wish to target EU consumers also have to comply to data regulations and it pays to do your homework now and don’t be caught in the wrong place when 2018 comes around.
What Businesses Need to Know
There are a few key points that business owners need to understand about the new GDPR.
Accountability – those businesses caught out by GDPR will have to show they have been compliant so certain documents will have to be maintained, privacy impact assessments carried out and privacy by design and default implemented across the company.
Consent – The collection of data must only take place with explicit consent for certain categories and companies cannot rely on existing consent for data already held.
DPOs – Data Protection Officers will have to be in place in some circumstances, so companies will have to understand if they are required to have a DPO and who that can be within an organisation.
Enhanced Individual Rights – Individuals will have a greater say in objecting the process of information relating to them, data portability, objections to profiling and other aspects of data control.
Detailed Privacy Policies – All existing documentation relating to privacy policies will have to be updated to be more detailed, clearly outlining new enhanced rights for individuals.
Notification of a Breach of Information – There will be new rules in places that require all breaches to be reported within 72 hours (subject to conditions), requiring an updating of processes to deal with such scenarios.
What Businesses Need to Do Before May 2018
It is widely thought that even in a post-Brexit UK the law will still hold companies accountable to the new GDPR due to the rules of companies aiming to work with consumers based in the EU.
It is important that business owners understand the points above and put in place updated and robust policies, procedures and processes to ensure they are fully compliant with the new data laws. Those companies who are caught in the future not being compliant with these new laws will be subject to potentially heavy fines and also see a damage to their reputation due to the sensitive nature of data protection within the public eye. Losing consumer confidence as a result of data breaches is enough to send a company into a spiral of damage and loss in value.