Belfast Telegraph

Now's the time to prepare for new data regulations


By Paul Eastwood, solicitor, Tughans

The countdown for the UK's implementation of the General Data Protection Regulation (GDPR) is fast approaching, with 10 months to go until May 25, 2018, the date by which affected companies are required to ensure compliance or face penalties.

The GDPR is the widest-ranging amendment to data protection law in the UK in 20 years, but if your company doesn't process any data that can identify a living person, or is prepared to face fines of up to €20m (or, if greater, 4% of the previous year's global turnover), you may be more relaxed about taking steps to prepare for the GDPR.

In light of the UK's impending Brexit, it is worth noting that this is likely to be one area of law that will remain unaffected by the country's departure, as any entity that trades in the European Union will be required to comply with GDPR.

Thinking back to the referendum some 11 months ago, the May 2018 deadline won't take long to arrive, so the time to start preparing is now or very soon.

Those companies confident of their compliance with the requirements of the Data Protection Act 1998 are in a good position but are not free from having to take further action.

The main changes the GDPR will introduce are as follows.

Maximum fines are being increased so that, depending on the nature of the breach, companies could be fined up to €20m (or, if greater, 4% of the previous year's global turnover) or up to €10m (or, if greater, 2% of the previous year's global turnover).

This is increasing from the current fine cap of £0.5m.

Consent to processing must now be given explicitly and affirmatively.

This will likely remove the ability to rely on silence or inactivity (such as failing to tick a box) to prove consent to the processing of data.

Consent may also be withdrawn at any time, and must not be used as a pre-condition for a contract for which data processing isn't necessary.

Data Processors (being those who are processing data on behalf of another entity) will now be subject to compliance requirements too.

Subject access requests must be complied within one month, instead of within 40 days.

This change of law is likely to affect the overwhelming majority of companies in the UK and entails far more changes than are set out here.

However, when it is implemented, its boundaries will no doubt be tested before the courts.

If the prospect of being a test case (with €20m riding on it) doesn't sound attractive, there is still sufficient time to start asking what data you hold, why you have it, what budget needs to be allocated to implement all the changes required, and what do the data protection (and liability cap) clauses in your current contracts say?

May 2018 may seem far off, but there is no time like the present.

Belfast Telegraph