Data protection rules in the UK are set to be overhauled on 25th May 2018 with the introduction of the General Data Protection Regulation (GDPR) which will be applicable across the EU.
The GDPR applies to processing carried out by organisations operating within the EU, however, it also applies to organisations outside the EU in respect of activities related to:
Until the UK leaves the EU, it will be subject to the GDPR. Post-Brexit it is expected that the GDPR will be retained in UK law by the European Union (Withdrawal) Bill and Data Protection Bill (which is currently making its way through Parliament).
Therefore, post 25th May 2018, non-EU organisations who offer goods and services in the UK (or elsewhere in the EU), or monitor individuals’ behavior in the UK (or elsewhere in the EU), will need to be GDPR-compliant in relation to those activities!
Are you caught?
The GDPR is vague on who might be caught by the above criteria (perhaps purposely so). Determinations on this will be made on a case by case basis.
For global businesses offering goods/services the position may be fairly clear cut that they are subject to GDPR obligations but for some the position will be less straightforward.
It seems unlikely that simply having a website or contact details which are accessible to those in the EU would make an organisation subject to the GDPR, however, if an organisation markets its goods/services in languages used in the member states, includes prices in EU member states currencies or cites EU customers, this may be sufficient evidence to show it is offering goods and services to those in the EU.
In relation to behavior monitoring, this may include using cookies or other technology to track individuals on the internet. This is most commonly used nowadays to identify individuals’ preferences so tailored marketing communications can be sent.
So, what should you be doing now if you are caught by the GDPR?
If only part of your business is caught by the GDPR (e.g. you are a global business with a presence in the EU but operate elsewhere also) then you need to decide whether you would want to apply the GDPR provisions to your entire business or whether you are able to separate out activities in the EU and want to run two parallel systems. This is a commercial decision, as it may well be very difficult and expensive to separate the two parts of the business in this way.
Appoint a representative
Under the GDPR data controllers and processors are required to appoint a representative (this appointment should be in writing). This representative will need to be established in the UK if the activities of the business caught by the GDPR are taking place within the UK.
There are exceptions to this where processing:
It will also not apply where the controller is a public authority or body.
This representative can be a person or an organisation and will be the first point of contact within your business for data subjects and the relevant supervisory authority; in the UK that’s the ICO. They can be addressed in addition to or instead of the data controller or processor. As such, they will need to be able to communicate with the relevant data subjects and have a good knowledge of data protection and the GDPR. Their name and contact details should be published in your privacy notice.
Appointing a representative does not absolve the data controller or processor of their obligations under the GDPR which they still need to ensure full compliance with.
Understand the GDPR
It’s vital that you take steps to ensure you understand the GDPR requirements.
There’s a lot of material out there now on the GDPR, we have several publications on our GDPR Page and are on hand if you have any questions. The ICO also publishes lots of useful information and guidance on its website.
Here’s a summary of some of the key points to be aware of under the GDPR:
Once you understand the key requirements of the GDPR, you need to consider the type of data you hold so that you can ensure your organisation is compliant. You’ll need to carry out an internal audit to track the data you hold – commonly referred to as data mapping.
Under the GDPR you have a duty to keep a record of certain data and so, during your data mapping exercise, it’s sensible to create a record of the data in line with your obligations.
Identify where you have gaps or risks in the organisation. For example, do your contracts with data processors contain all the clauses they are legally obliged to contain? Do you have adequate privacy notices? If not, identify these as risks and take steps to mitigate them e.g. by renewing your contract wording and notices.
Once you have appropriate steps in place to deal with any risks and have brought your policies/procedures in line with GDPR, you need to consider training of your staff. This is imperative to ensure your staff understand obligations and follow any procedures you have put in place e.g. reporting obligations.
Conflict in legal requirements
Where you have local laws which conflict with the GDPR, you need to seek legal advice about your obligations.