There’s nothing quite like that feeling when you’re happily cruising down the motorway in traffic and you see the brake lights start to glow red about a quarter of a mile ahead. That’s the signal for you to slow down and think a little about where you are right now and where you want to go.
That’s the situation we all find ourselves in right now as we speed towards 25 May 2018, the date the new data protection regime - the General Data Protection Regulation (GDPR) – comes into force.
And despite anything anyone tells you to the contrary, even though the GDPR is a piece of EU legislation, Brexit is not going to provide us with a convenient off ramp.
The GDPR is going to be in place before Brexit happens and regardless of the shape Brexit takes, the UK Government has already said that any data protection regime it implements will be effectively be equivalent to the GDPR. This is understandable, because if we want to continue to trade and share personal data with businesses and other organisations in the EU then anything other than GDPR equivalence would be a significant barrier.
The GDPR brings with it a series of important changes in the UK’s data protection laws and will have a significant impact on how organisations manage personal data. Many businesses and other organisations have already spotted the eye-watering penalties for non-compliance (up to €20 million/ 4% annual turnover) but there are a host of other changes such as:
- Strengthened and new rights for individuals in relation to their personal data
- Changes to what constitutes “consent”
- Mandatory data breach notification (72 hours)
- Responsibility of data processors
- Data Protection Impact Assessments
- Data Protection Officers
- New or updated rules on who you can share personal data with
- Upcoming changes to marketing laws (including e-mail marketing)
In addition, the new principle of “accountability” means that data protection compliance will be far more process driven than ever before.
Businesses need to slow down, think a little about where they are right now and where they want to go – at least in terms of how they process personal data.
At the moment, the Data Protection Team at Anderson Strathern is seeing a significant uptick in queries about the new GDPR. Right now these queries are principally coming in from the public and education sector, technology companies and other businesses that have a clear enough view ahead to see those brake lights flip on just a bit further up the road. They are presently engaged in assessing what data they hold, whether they really require to hold it at all and what they need to do to put systems, processes, contracts and privacy notices in place to be ready for the GDPR by May 2018.
I’m told that the SMTA have concerns that some of their members aren’t up to speed with their responsibilities under the Data Protection Act 1998 let alone what’s coming down the road with the GDPR. If that’s an accurate assessment of the Motor Industry, then it’s a genuine concern. The GDPR isn’t just going to affect the public and education sector or technology companies, it’s going to affect everyone.
If you haven’t already thought about the new GDPR and at the very least put in an initial query to a Data Protection lawyer, then chances are – right now – you’re going too fast.
Sure, you may still be able to brake in time, but please, don’t leave it much longer… or we’ll be squirming in the seat next to you. With under a year to go until the implementation, it’s crucial that everyone in an organisation should be prioritising review of their data protection practices.