The GDPR’s or General Data Protection Regulations will come into force on 25th May 2018. Businesses may already be puzzled by the amount of publicity surrounding regulations which are not coming into force for several months and wondering why they are being urged to start preparing for the Regulations now.
Nigel Tillott, Head of Employment and Regulatory Law at Davies and Partners Solicitors looks at the Regulations in more detail:
"Businesses have been subject to Data Protection obligations for a considerable time, but save for those involved in the direct marketing industry many businesses have so far been able to keep the Data Protection legislation at a lower point in their priorities than other more pressing matters. The pressure has been cranking up though with the ICO (Information Commissioner’s Office) taking more and more interest in how businesses are looking after information about their customers and employees and being more and more prepared to issue heavy fines to those who are not compliant. Also, consumers are becoming more and more aware of their rights and are frequently subjecting businesses to Subject Access Requests and indeed pursuing claims for compensation where there has been a data breach.
From 25 May next year the Data Protection regime is going to get a whole lot tougher with the introduction of the GDPR’s. These will regulate in a prescriptive way the entire life of personal data held by companies. The ICO will be backed with greater powers including the ability to impose much higher fines.
One might think that the GDPR’s emanate from Europe and we are leaving Europe so we don’t need to worry about them.
For a start, we will not be out of Europe when they come into force and will therefore have to abide by them, but there is also every sign that they will remain in place in full, but only under a different label when we eventually leave Europe.
Businesses may wonder why they need to be worried about the Regulations at present. The issue is that the changes are so significant that if businesses wait until May to look at them there will be very little chance that they will be able to put in systems to effectively comply on time. Further, if data is used for marketing purposes far more stringent provisions will apply. There is a real risk that existing data bases will be rendered redundant. If measures are put in place now the impact will be much reduced.
The Regulations deal with the collection of data i.e. obtaining information about individuals, how it is held and destroyed. Individuals will be provided with greater rights over the data including rights to access it, modify it, require its destruction or indeed that it is transferred. The topic of consent has been looked at and changed massively. At present consumer information is usually obtained on an “opt out” basis giving businesses a fair amount of flexibility as to its use. In future consent will need to be very specifically given. The aim is to much reduce the trading of personal information resulting in consumers being contacted by all manner of people they weren’t expecting to be contacted by. The risk with all such measures is that those seeking to get around the system find ways of doing it whilst the average business which has not thought carefully about the Regulations may find itself precluded from being able to contact customers in ways which may be mutually beneficial. With care there are ways of reducing the impact of the Regulations. However, thought needs to be given to this sooner rather than later."
Further, Davies and Partners will provide in-house training sessions and can carry out audits of existing procedures. If you would like to know more about how we may be able to assist you please contact Nigel Email: ; Tel. 01452 612345.