1st December 2017
The General Data Protection Regulation (GDPR) becomes law in the UK on 25 May 2018 and will be unaffected by our decision to leave the EU. The regulation strengthens the rights of individuals to control the way in which their personal information is used and increases obligations on businesses to ensure that any personal data they collect is dealt with in a fair and transparent way. If you have not already familiarised yourself with the provisions of the GDPR, and audited your business to ensure compliance, you need to do this now before the new requirements come into force.
In the first of a two-part series of articles looking at GDPR, the commercial lawyers with Myers & Co in Stoke on Trent, Staffordshire, provide an overview of the key requirements. In the second article, they explain the steps you should take to prepare for them.
Individuals will have the right to:
‘The right to be forgotten exists where there is no compelling reason for personal information about an individual continuing to be held and used, for example where it is no longer needed for the purpose for which it was collected or where use of the information was only permissible because of the individual’s consent and this has since been withdrawn. However, it is not an absolute right which means that where, for instance, there is a legal obligation to continue to use the information or where the information is needed for the bringing or defending of a legal claim, a request for erasure can be refused.’
Where someone asks for erasure and you determine that this should be respected, you will need to ensure that this occurs. You will also have to notify any third-party you have shared the information with so that they can take steps to erase it as well.
Businesses will have to:
Again, some of these obligations already exist under the Data Protection Act, but there has been a widening and strengthening of the requirements. For example, if you are relying on the consent of an individual for the collection and use of their personal data, this consent needs to be express. You cannot rely on pre-ticked or opt-out boxes, or on silence or inactivity. You also need to ensure that where consent is given, you make it easy for that consent to be withdrawn.
The definition of personal data has been broadened to include online identifiers, such as an IP address, and pseudonymised data – that is data that has been altered to try to make it less obvious who it relates to – but from which it is still possible to determine who the individual is. For example, if you use a system which identifies individuals by a reference number that uses a combination of random letters and numbers rather than the individual’s name, this will be caught if it is possible to link the reference number back to the particular individual concerned.
Businesses will have to demonstrate compliance with the GDPR requirements or face the possibility of a fine of up to £18 million or four per cent of annual global turnover, whichever is higher.
If you require advice on the GDPR and the impact it will have on your business, please contact us on 01782 577000 or email firstname.lastname@example.org.
The contents of this article are for the purposes of general awareness only. They do not purport to constitute legal or professional advice. The law may have changed since this article was published. Readers should not act on the basis of the information included and should take appropriate professional advice upon their own particular circumstances.