Data Protection Changes

Background

New changes are afoot in relation to data protection. The changes will be contained within a new regulation called the General Data Protection Regulation (the ‘GDPR’). The GDPR is set to apply throughout Europe and it is anticipated to take effect from 25th May 2018. With Brexit negotiations still underway, you may be wondering whether GDRP will apply to the UK. The answer is yes, they will apply. As the UK will still be part of Europe by the time the regulations have effect in May 2018, UK businesses will need to comply with the GDPR changes.

BBM’s Commercial Team recommend that businesses start planning now ahead of the changes which are soon to have effect. To assist your business in planning for these changes, we have selected a few of the key changes to take note of:

Lawful and Fair Processing

Businesses must remember that data processing is to be done lawfully and fairly. Businesses should remember to consider which lawful basis it is intending to rely on as the GDPR is set to make it more difficult for businesses to obtain valid consent for data requests.

In terms of fair processing, businesses must remember to inform individuals why their data is being requested. The GDPR is set to make this process more detailed. Businesses will be required to issue a Privacy Notice when collecting information. Please note the notice must provide the business’s identity, purpose for processing, legal basis for processing, the areas of personal data applicable, who the recipient of the personal data is going to be, how long you intend to keep the data for, what safeguards are to be in place for cases where data is to be issued to a country out with the European Union, and the rights which that individual has as a data subject. 

Processing Records

Another requirement of the GDPR is the maintenance of a record of processing. This applies to businesses with over 250 employees or businesses that intend to carry out processing which may cause a privacy risk for certain individuals. The record must set out the purpose of the processing, the areas of personal data that is going to be processed and who the recipient of the personal data is going to be.

New Investigations: Data Controllers and Data Processors

Both Data Controllers and Data Processors can now be investigated under the GDPR rules and fined for failing to comply with their obligations and the law. Contracts between data controllers and processors must comply with the GDPR and make certain that the controller is aware of any sub-contractors.

Increase in ICO Powers

Under the GDPR the ICO will be granted new powers, including the power to impose greater levels of fines (increasing from the current maximum of £500,000) to 20 million Euros.

Design and Data Privacy Impact Assessment (‘DPIA’)

The GDPR is introducing the requirement of a DPIA. This must be completed by all businesses when embarking on a new project where it is believed that there is possibly a high risk to an individual’s privacy rights. In particular, a DPIA is likely to be relevant where there is to be large scale processing of sensitive data and cases of automatic processing for cases that have a substantial or legal impact on the individuals involved.

Contact BBM Solicitors – Expert Data Protection Regulations Solicitors Edinburgh, Wick, Scotland

If you require any advice in relation to complying with the new data protection regulations, please contact our Solicitors on 0131 526 3280 or 01955 604188.