23rd March 2018 | IN DESIGN ADVICE | BY SBID ShareTweetPinterestLinkedInIn the current issue of eSociety, SBID talks to Suzi Sendama, Associate from Mishcon De Reya LLP about the new General Data Protection Regulation (GDPR) rules that will be enforced on the 25th of May. She highlights what all the fuss is about and what it will mean for your business? What is the GDPR? The GDPR introduces more stringent data protection obligations on companies and will strengthen the rights of individuals. Its implementation and effect is therefore of relevance both to corporate entities and to those seeking to enforce their rights. It will be implemented across all EU Member States and its provisions will continue to apply in the UK post-Brexit through the UK’s proposed Data Protection Bill. The GDPR sets out new rules for any organisations that collect or process personal data of individuals (known as data subjects). Personal data is any information relating to an individual, including names, addresses, photographs of individuals, email addresses, bank details, IP addresses and even social media posts – as a result, the GDPR will apply to most organisations that do business in the EU. As a result of the changes in the law, and the publicity surrounding the introduction of the GDPR, individuals are more likely to scrutinise the way in which information about them is held by organisations. How will the GDPR affect businesses? Two key themes arising from GDPR are transparency and accountability. Companies will need to explicitly and clearly tell individuals what data they are holding, why they have captured it and what they intend to do with it. Companies will also need to be able to show that what they are doing is in accordance with the law. In practical terms, this is likely to involve at the very least updating your privacy policy to ensure that it is in plain English and that it accurately reflects what data you are processing. Electronic direct marketing, such as emails sent to people who are not existing customers, will require a higher level of ‘consent’ than now: consent needs to be explicit and freely given, by way of a positive opt in. The GDPR also introduces a requirement for some types of organisation to appoint an expert in data protection law as a Data Protection Officer. Reputation management should be a key consideration for all companies. Ensure that you have a crisis plan in place for dealing with data breaches. You could also face enforcement action if you are unable to demonstrate that you have addressed the new requirements. The legislation introduces hefty fines for data breaches of up to 4% of global annual turnover or €20million, whichever is more. Think carefully about a notification strategy for breaches. In the event of a data breach, companies will often have just 72 hours to notify both data subjects and the Information Commissioner’s Office, so having a strategy in place for dealing with this will be crucial. Data breaches are most likely to occur as a result of human error – make sure that members of staff are appropriately trained on the changes which are coming into force and ensure that you have policies in place in relation to data security and how to handle data breaches. If you are an employer, you will also need to ensure that the way in which you handle your employees’ data is GDPR compliant. Review any HR policies to ensure that you have systems in place to deal with your obligations under the GDPR and inform employees and any job applicants about the purpose and legal basis for processing their personal data. Key action points It is vital that you understand what data you are holding, why it is being held and where it is being stored. Understanding the risks and privacy impact of each data type will enable you to better protect your organisation and your data subjects. Where possible, minimise the data you are holding before the GDPR comes into force. Transparency and accountability is key: review and amend your policies for collecting and processing personal data. Every pound spent on preparation for the changes in law is likely to pay off exponentially in the future. Appoint someone suitably trained in data protection to be the point-person for GDPR, and train all staff on the new legislation. Have a reputation management strategy in place for dealing with potential breaches. For further information on the GDPR and how it could affect your business, please contact Suzi Sendama at Mishcon De Reya LLP, [email protected], +44 (0) 203 321 6794. Suzi Sendama, Mishcon De Reya LLP Did you miss Suzi’s article on Intellectual Property and Copyright Law? Click here to see more.