Expert advice on the business of running a garment decoration company


What do businesses need to do to prepare for the General Data Protection Regulation (GDPR) that kicks in next year?

The Data Protection Act 1998 has been providing legal rights and security to individuals whose data is held on a computer or other relevant filing system for almost 20 years.

In May 2018, however, data protection is set to get a major overhaul with the introduction of the EU’s GDPR. The new regulation will not only strengthen data protection for EU residents, but also impose significant financial penalties for non-compliance.

All businesses and public sector organisations should be aware of the Act and their responsibilities under it, especially because of the financial and reputational risks of non-compliance.

What is the GDPR?

The GDPR  was drawn up to give EU residents back control of their personal data.  It  extends the scope of the EU’s data protection law to all foreign companies processing data of EU residents. It also addresses the export of personal data outside the EU.

There are severe penalties for non-compliance: up to €20 million or 4% of annual worldwide turnover, whichever is greater.

While the UK is still a member of the EU, the GDPR will automatically apply to businesses and organisations that have a base in the UK. As for what happens post Brexit, we shall have to see how the negotiations go. At the time of writing, however, a new UK Data Protection Bill is going through Parliament, so businesses and organisations should keep an eye not only on Brexit negotiations, but also on what happens to the Data Protection Bill.

How is it different?

One of the differences between the GDPR and the Act relates to consent. Under the GDPR, it will no longer be enough to include a blanket data clause in contracts.  Instead businesses will have to explain clearly why the data is being collected and how it will be used.

If relying on consent as a legal basis for processing personal data, consent for the processing of personal information will have to be fully informed and actively and freely given. The GDPR calls for ‘clear, affirmative action’, so getting signed consent is highly advisable. This will have to be carefully documented.

Additional consent will be required if the data is to be passed to a third party.
Consents already held may have to be reviewed to ensure they meet the terms of the GDPR.
The GDPR will also give individuals a host of new rights relating to their personal data. In certain circumstances they will be able to object to certain data processing, restrict how their data is used and to even have their data erased.

Individuals will also be able to make data subject access requests without restriction or fee, and organisations must respond within a month rather than the current 40 days.

There will also be responsibilities on organisations to check and correct data that is claimed to be incorrect.

Organisations that contact individuals for marketing purposes will also have to be careful as specific consent will be needed for contact via email, text message or automated phone call.

Another key difference with the GDPR is the role of the data processor.  For the first time data processors will have a direct obligation to comply with certain data protection requirements that previously only applied to data controllers. This means they will also be subject to enforcement by the data authorities, serious fines for non-compliance and compensation claims by individuals.

What action should I take?

GDPR compliance may sound like an onerous task, but it should be viewed as an opportunity to review current data collection and storage systems and processes and make them as safe and secure as possible.

Start with a thorough audit of what data you collect, how it is collected, why it is collected and by whom.

Then look at where and how that data is stored and whom it is shared with. Are your storage systems secure? Do you have appropriate contracts in place with third parties? What is the legal basis of your processing the personal data?

We have recently launched a digital audit tool, Acuity DataGuard, and support service to help  businesses carry out a thorough audit of their data use and identify any potential threats.

Kerry Beynon, partner at Acuity Legal and data protection expert, advises on the changes organisations should be aware of ahead of next year’s GDPR legislation.