SME Adviser Series: EU General Data Protection Regulation

GDPR comes into force in May – Are you prepared?

The new data protection rules coming into force on 25 May 2018 will change how companies are required to process personal data, such as customer lists and employee records.

The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. Its aim is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.

Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies. The key changes for business are as follows:

1. GDPR applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Personal data is any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
2. GDPR is more complex and carries much tougher punishments for those who fail to comply with new rules with fines of up to 4 per cent of annual global turnover
3. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it
4. Notification to customers of a data breath is mandatory and must be done “without undue delay” after first becoming aware of a data breach
5. Data subjects have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. The data controller must provide a copy of the personal data, free of charge, in an electronic format
6. Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data
7. GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.
8. GDPR’s privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition
9. There will be internal record keeping requirements and the appointment of a Data Protection Officer will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale

Note: GDPR and Brexit
If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective of whether or not the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear. The UK Government has however indicated it will implement an equivalent or alternative legal mechanism.

At Beavis Morgan, we understand the challenges faced by business owners. We work with many small and medium sized businesses across a wide range of industry sectors, guiding them though the various stages of business life from start up to exit and all the challenges in between. If you have any concerns relating to the matter of data protection, we are able to put you in touch with companies within our extensive network of contacts who will be able to assist. It’s part of our commitment to supporting SME businesses by providing a holistic suite of business advisory services.

Please contact Gareth Dalton on 020 7549 2433 or your usual Beavis Morgan Partner for further information and assistance.

Useful information:

GDPR Portal website is a resource to educate the public about the main elements of the General Data Protection Regulation
• The Information Commissioner’s Office has provided a data protection self assessment toolkit for SMEs, including a section focussed on getting ready for GDPR. The checklist aims to help businesses assess their progress in preparing for GDPR.
• BT has also produced a white paper, ‘Dealing with new EU data-protection regulation’, which outlines the implications of the new regulations and gives advice on how best to prepare.