The GDPR (General Data Protection Regulation) is a buzzword, not just in the legal sector now, but many companies are left questioning their practices of data collection and how GDPR compliant they are. By now, many of you may be fed-up hearing the acronym ‘GDPR’ by now – but that doesn’t make it less significant an issue for companies to look at with immediate effect.
Especially, because The General Data Protection Regulation, or GDPR, comes into force in less than 2 months, on May 25th, 2018. These European Union rules, which have been labelled as the biggest ever overhaul of data legislation and which the UK government will enforce despite Brexit, mean individuals will have the right to ask companies to show them more personal data gathered on them.
Who does GDPR concern?
The legislation concerns every company that is targeting consumers in the European Union and holding or transporting data relating to them. This can mean, if you are writing down details to book appointments, re-contacting them to ensure regular appointments are booked or if you are collecting data for competitions on your social media, via your contact form, have a subscription box on your blogs and much more.
What happens if my company is not GDPR compliant?
Considerable penalties can be forced on employers that breach the GDPR, including fines of up to €20m or 4% of annual worldwide turnover, whichever is greater.
At the core of the legislative changes is the concept of consent. The GDPR gives people more say over what companies can do with their data, including who they can share it with and how their data is processed. The concept of consent is not new, but the level of consent that must be obtained is. The GDPR sets a higher standard than that required under the DPA; companies must ask for positive consent by using an unambiguous statement that requires users to take an affirmative action to ‘opt-in’. The new definition of consent collates existing European guidance and good practice
What are the requirements for GDPR that I should be aware of for my business?
Put in practical terms, businesses must review agreement devices to ensure compliance with the GDPR by May 2018. In simplest terms, the requirements of GDPR are:
- Unbundled: consent requests must be detached from other terms and conditions. Consent should not be a requirement of signing up to a service unless necessary for that very service.
- Active opt-in: pre-ticked opt-in boxes are invalid now. Use unticked opt-in boxes or comparable active opt-in methods.
- Granular: give granular options for consent anywhere conceivable and suitable. That will entail seeking different types of consent if data can or will be used in different ways or by different parties.
- Named: name your organisation and any third-parties who will be counting on the individuals’ consent – even exactly defined categories of third-party organisations will not be suitable under the GDPR.
- Documented: keep records to prove what the individual has consented to, as well as what they were told, and when and how they consented. Superior importance is placed on the documentation that Data Controllers must keep indicating their accountability.
- Easy to withdraw: An individual should be told they can withdraw content for data any time they wish, and you must withdraw it immediately. It must be as simple to withdraw their content as it was to sign up. This means you will need to have simple and effective withdrawal mechanisms in place.
J M R’s Comment on GDPR from a legal perspective:
“Since 1995, when the Data Protection Directive became law, there has great changes in terms of how companies handle and attain data. We now have the full force of the internet, social media and smart phone technology so keeping the data protection laws up to date were going to be in the pipeline for change sooner or later
With Data protection legislation over 20 years behind the trend of technology, it’s no wonder companies are panicking and with severe penalties, it is quite rightly that you see to ensure your company is GDPR compliant.”
If you are worried about safeguarding organisational compliance ahead of the GDPR’s in-force date, talk to one of our knowledgeable legal representatives at JMR Solicitors. We syndicate a high level of legal knowledge with business expertise to future-proof your organisational compliance.”
Marium Razzaq – Partner at J M R Solicitors Limited