Whether or not the UK stays or leaves the European Union, new data protection laws will still apply to your business if you deal with others in the EU. This year the Network and Information Security Directive (NISD) is due to come into force, followed by the General Data Protection Regulation (GDPR) in 2018.
Only half of UK IT decision-makers are aware of the coming EU General Data Protection Regulation, compared with 87% in Germany, according to a survey by Trend Micro.
UK data protection laws have remained fairly static over the last 20 years, the existing UK Data Protection Act dates from 1998. Yet the digital technological landscape has changed dramatically in this time and data breaches have become an all too common occurrence in recent years. To this end the GDPR sets out to address this gap between the law and technology and, as stated above, even if the UK leaves the EU any company that wishes to do business in EU will need to comply.
Planning for new EU data protection regulations
Taking a gamble on Brexit is probably not advisable even if your organisation is focused solely on business in the UK and outside the EU. In fact it is sensible that UK businesses start to plan for this new regulation now. When it comes into force in 2018 there will be a two year adoption period, after which it becomes enforceable across all EU countries by data protection authorities and the courts. Two to three years is not a long time to address key changes and put best practice in place, which is why we are already advising our clients on data protection with GDPR in mind.
What do you need to consider and start planning for?
The following points increase the obligation on organisations to protect their data, and systems will need to be put in place to comply:
· Accountability: GDPR will mean that organisations must be able to demonstrate compliance with data protection requirements through adopting and implementing policies and procedures such as Privacy Impact Assessments, designing privacy using encryption to protect personal data, and keeping records of personal data use within an organisation
· The ‘right to be forgotten’: Organisations will need to be able to erase all an individual’s personal data on request, with some exceptions
· Customer profiling: Restrictions on profiling of individuals – the right for an individual not to be subject to a decision based on automated profiling – for example profiling based on employment, location, financial information etc. The exception is if the organisation can prove a statutory basis for profiling, such as crime prevention
· Consent: Organisations using personal data analytics must also ensure that an individual’s data is freely given, requested in clear and plain language, and allow individuals to see a copy of the data you hold about them
· Data breaches: Mandatory reporting of any serious data breaches to the Information Commissioner’s Office (UK) within 72 hours
· Pseudonymous data: Currently UK data protection laws only relate to data that directly identifies the individual, or identifies them when combined with other data held by the data controller. The new regulations will mean that all data, whether it identifies an individual directly or indirectly will become ‘personal data’. This includes IP addresses and references numbers
By Bruce Penson, managing director, Pro Drive IT
Find out how to ensure that your company is fully prepared for the implementation of GDPR by attending the GDPR Summit London, designed to help businesses prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at www.gdprsummit.london