There are now less than six months to go until GDPR implementation, when it becomes law throughout the EU, including the UK. Any business operating in the EU, serving EU customers or shipping orders inside Europe will need to comply.
From training staff to rewriting privacy policies, there’s a lot that needs to be done to ensure your business is ready for GDPR. If you’re in the UK, the new Data Protection Act will form the basis of data protection law. However, ensuring your business is ready for GDPR will also ensure you are ready for the new Data Protection Act.
What is in the new UK Data Protection Bill?
Along with transposing GDPR into UK law, the Bill will replace the UK’s DPA 1998 and ensure that data protection law remains Brexit-proof. The UK legislation will set out the groups who are exempt from having to follow a number of data protection rules altogether. These include bodies investigating financial crime and journalists who are seeking to expose wrongdoing. Scientific and historical research organisations are also exempt from complying where it would hinder their work and employees who, where justified, access sensitive personal data without consent can do so if it fulfills an employment law obligation.
Crucially, financial services firms who are handling personal data connected to a suspicion of money laundering or terrorist financing are exempt from a number of obligations.
Further UK specific measures set out in the legislation
- Requires social media platforms to delete information held on a user at the age of 18
- Repeals the Data Protection Act 1998 and have a single data protection law for both EU and domestic law
- Allows children aged 13 or older to consent to personal data being processed
- Organisations will be able to continue processing criminal conviction and offences data as they currently do
- Legitimate automated decision-making will be allowed in some circumstances, such as credit reference checks
The UK legislation will introduce a number of new criminal offences related to data protection. These include:
- Unlawfully obtaining personal data
- Unlawfully altering personal data
- Re-identification and de-identification of personal data
The Bill will also give the Information Commissioner’s Office (ICO) enhanced powers to ensure enforcement and levy administrative sanctions, with the maximum fine available rising to £17m, or 4% of annual turnover, whichever is higher. Currently the ICO is limited to fines of up to £500,000.
One key benefit of the Bill, the government is hoping, is to ensure adequacy when the UK leaves the EU. There would be serious consequences for the UK’s data flow to the rest of the world should the EU not find the UK’s data protection regime as adequate.
Other GDPR provisions that are being fully transposed into the UK legislation, such as tougher consent requirements, refreshed principles of data protection and tighter times for breach notification, will also be subject to further guidance from the ICO.
What to do between now and GDPR implementation
To make sure your organisation is ready for GDPR and the new UK Data Protection Act, VinciWorks suggests taking the following steps.
- Review the ways you currently obtain consent and assess whether these will be valid under GDPR. If not, change your procedures.
- Check whether you collect any genetic or biometric information and implement procedures for protecting sensitive personal data.
- Make sure company policies on personal data will be updated in reference to the six data protection principles.
- Ensure there are procedures for dealing with data portability and right to be forgotten requests.
- Check and update your privacy notices.
- Think about setting up a central data breach management register.
- Consider how GDPR may impact any international data transfers you carry out.
- Ensure staff have adequate and up to date training on data protection and GDPR changes.
For more information on upcoming changes and what to do about them, download VinciWorks’ free guide to GDPR and review the tools available to help your organisation get ready for the big day in May 2018.
Free mini course on the six principles of GDPR
The six principles of GDPR replace the eight principles of data protection of the Data Protection Act 1998. VinciWorks’ mini course on the six principles of GDPR makes part of our course Data Protection: Privacy at Work. You can take the five minute course by clicking on the button below.