10 key points on data protection that every FD needs to know

If you think Brexit means less red tape, think again.

British business will still have to comply with the forthcoming EU General Data Protection Regulation (GDPR), which comes into force on 25 May 2018.  It may seem a long way off, but if your business doesn’t start preparing now, you could fall short next year and be at risk of huge fines. Matthew Pryke, a partner at Hamlins LLP, gives financial directors the key points they need to know.

1. Significant fines

The Information Commissioner’s Office (ICO) will be able to impose fines of €20m (£17m) or up to 4% of global annual turnover, whichever is the greater, for businesses who breach the regulations. As the ICO will need to fund its operation via these fines it seems inevitable that fines will be imposed as soon as the legislation is in force.

2. Awareness and budgets

Business directors will need to ensure that they use the next 15 months to raise awareness of the new regulations and put in place the necessary structures to ensure compliance. Crucially, is a budget in place to fund the compliance activities required by the business?

3. Self-notification of data breaches

The GDPR requires businesses to proactively notify the ICO of any breach of the regulations. The GDPR expects businesses to have the right internal procedures in place to detect, report and investigate a personal data breach.

4. Appoint a Data Protection Officer

Businesses will be required to designate a Data Protection Office who is somebody who takes responsibility for data protection compliance within the organisation.

5. Information you hold

The business is required to document which personal data it holds, where it came from and who the business shares it with.

6. Communicating privacy information

The GDPR requires additional information to be supplied to individuals, including the need to identify the legal basis for processing data, the data retention periods and the right individuals have to complain to the ICO if there is any problem with the way in which an individual’s data is being managed.

7. Individual rights

The GDPR provides individuals with enhanced rights to determine the manner in which their data will be managed and processed.

8. Subject access requests

Businesses will no longer be able to charge individuals for dealing with their subject access requests. In addition, the previous deadline of 40 days for compliance has been reduced to just one month.

9. Consent

Businesses are required to obtain a positive indication of agreement to personal data being processed. This consent cannot be inferred from silence, pre-ticked boxes or inactivity.

10. Children

Special protection is provided for within the GDPR for the processing of children’s personal data. Businesses will need a parent or guardian’s consent in order to process children’s personal data lawfully.

Planning ahead

It is essential for businesses to start planning its approach to GDPR compliance as early as possible. Having a budget and a strategy is always a good start but ultimately “buy in” and leadership from the key directors is perhaps even more important.

Matthew Pryke is a partner at law firm Hamlins LLP.