GDPR in one minute

Are you seeing an ever-growing frenzy of chatter telling you to worry about the introduction of “GDPR”? Do you lose the will to live as soon as you start trying to read about it? Fear not. Here’s a survivable 60 second summary of what’s going on.

GDPR (“General Data Protection Regulation”) is a new law to regulate the holding and use of personal information. From 25 May 2018, it completely replaces our existing law on data protection in the UK. It applies to any business which holds or uses data relating to an individual. So for example, it would apply to a company holding or using information about individual employees, customers, or suppliers.

In many respects GDPR re-states the existing law. However, there are some new elements, which make the new law significantly more onerous than the old. These are the elements that tend to have attracted a lot of attention. Foremost amongst these new elements is a requirement for businesses to have documented systems and procedures demonstrating their compliance with the law. Storing and using other people’s data in compliance with the rules is no longer enough; it now necessary to be able to demonstrate that you have systems and procedures designed to achieve that compliance. For many businesses, creating and documenting those procedures will be a substantial exercise.

Your procedures and systems will need to include:

• a full audit of all personal data held across your organisation and the purposes for which it is held
• a written analysis of the legal justification (narrowed by GDPR) for holding and using each type of personal data held
• “privacy notices” giving people full transparency as to how their data will be stored and used
• procedures for timely and systematic data destruction (a significant technical and administrative headache for many businesses)
• systems for data security and management of data breaches

The new law makes businesses responsible for ensuring that third parties to whom they pass data have compliant systems and procedures in place. If you’re not compliant, you may find that third parties won’t pass their data to you.

There is also a new obligation to notify the Information Commissioner’s Office (ICO) of any material breach of the law, and enhanced powers for the ICO to levy fines of up to €20 million. So, a future security breach could result in self-notification to ICO, following which an ICO investigation discovers a lack of adequately documented systems and procedures, resulting in a significant fine.

