31 Jan 2018
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will govern the use of personal information throughout the European Union. It replaces the EU's Data Protection Directive and the UK's Data Protection Act 1998. The Government's Data Protection Bill (due to come into force this year) will ensure that the GDPR remains in our law post-Brexit so there is little doubt that the GDPR is here to stay.
Casting the net wide
The GDPR will apply to organisations that use the personal information of EU citizens within its Member States. In certain circumstances, the reach of the GDPR will go beyond the EU and apply to the activities of an organisation located outside of the EU - the net of the GDPR is cast wide.
What is Personal Information?
Personal information is data that relates to an identified or identifiable natural person. A person can be identified from information such as a name, ID number, location data, online identifier (i.e., an IP address) or other specific factors. It includes anyone who can be identified directly or indirectly but does not include anyone who is deceased. For example, it might include details of insurance products put in place by clients, details of account transactions and the names, addresses and other contact details of clients.
What are the principles of the GDPR?
When handling personal information, the following principles apply under the GDPR. Personal information should be:
Compliance with the above principles, and the GDPR as a whole, must be clearly demonstrated. This is known as the accountability principle and goes to the heart of the changes under the GDPR. Organisations must be able to demonstrate that compliance is implemented at all levels throughout their organisation and that responsibility for compliance is allocated at board level. This can be demonstrated by implementing technical and organisational measures to ensure compliance, documenting all processing activities and policies and, where appropriate, appointing a Data Protection Officer. A significant challenge for organisations is instilling a compliance culture. The good news is, that as organisations that are either regulated by the FCA or regularly dealing with other regulated entities, your employees will understand the importance of compliance and you may even have procedures and policies which you can utilise to aid your GDPR journey.
What happens if you don't get it right?
If an organisation has not complied with the GDPR then the regulator (the UK's Information Commissioner's Office (ICO)) has the power to issue significant fines - up to the greater of 20 million euro or 4% of annual global turnover. The fines work on a sliding scale depending on the nature and seriousness of the breach. The ICO may also make use of its other enforcement tools such as audits, issuing warnings or corrective orders or imposing a ban on processing.
The key message is that it is not too late to start to get your house in order. As a starting point you should consider what personal information you have and what you use it for. This will guide your approach, and your next steps, in the lead up to 25 May.
In the run up to the GDPR we will be running a short series of briefing note on other areas that you should be considering and next steps to take in order to move towards GDPR compliance.
For further information, please contact Caroline Churchill, Partner at Womble Bond Dickinson(UK) LLP firstname.lastname@example.org
See more about Womble Bond Dickinson in Tools & Resources
Join the Panacea community for free and recieve news, guides, whitepapers, event information, special offers and more!