EU member states have agreed to unify data protection laws across the EU.
The new regulations could result in significant implications for businesses in the UK and elsewhere.
- Does your business process personal data?
- Are you aware of the proposed EU regulation which, once finalised, will be the most significant change to UK data protection legislation in over ten years?
- Do you know what your business needs to do between now and implementation of the regulations to ensure it continues to comply with the data protection legislation?
Although implementation of the regulations is likely to take up to two years to complete, businesses should act now to ensure their systems and processes are aligned with the new data protection regulations. This will help avoid last minute challenges or the loss of data which has been obtained in contravention of the new regime.
We have identified some top tips for businesses to consider in preparation for the shake-up of the data protection legislation:
- data protection authorities will be entitled to review a business’ privacy policies, procedures and documentation at any time. You should therefore ensure your documentation is up to date, accurately reflects the processes your business has in place and is written in clear and plain language;
- if you have over 250 employees you may be required to designate a Data Protection Officer. The nominated officer should be able to, for example: inform and advise the business of its data protection obligations; monitor the implementation, application and maintenance of relevant policies; and monitor compliance with the business’s data protection obligations. It is possible that the threshold of 250 employees will be revised downwards during the legislative process;
- ensure your business has a system is in place for dealing with data breaches. This should include a process for notifying a data subject affected by a breach. It is likely that data breach notification is to become compulsory for all businesses and any company that is not ready by the time the new laws are enacted risks incurring severe penalties;
- ensure your business has a strategy for dealing with data classification, retention, collection, destruction, storage and search;
- if not already in place, introduce procedures for obtaining explicit consent from individuals in respect of the processing of their data by your business. Any data held or otherwise processed which has been obtained by implied consent (for example, by stating that the data subject will be deemed to have consented to the processing of data unless they confirm otherwise) will need to be re-obtained by the data subject giving their express consent. To ensure your business’ databases are valid and the data useable under the new regime, you should ensure data is collected using express consent from now on; and
- ensure your systems and processes deliver data protection compliance as a matter of course. You should review the personal data held by the business and understand why it is held and for how long it needs to be held. If data is used for purposes other than for which consent was obtained, or is held for longer than strictly necessary, you may find yourself in breach of the new regime.
If you have any questions or would like to discuss how we can help you prepare for the new data protection framework and data protection legislation, please complete our enquiry form and a member of the commercial team will be in contact very soon.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.