There’s now only six months to go before the introduction in the UK of the EU General Data Protection Regulations (GDPR) and, no, Brexit won’t change this!
It is fair to say that GDPR, and the introduction of the UK’s new Data Protection Bill (which goes beyond GDPR), will take the protection of personal data to a new level, and organisations which process personal data (and who ask others to process such information on their behalf) need to be aware of and adapt to these changes. There is negativity in some quarters about the ‘burden’ of the new regime but, in the UK’s Information Commissioner view, “GDPR is an evolution in data protection, not a total revolution”.
The changes fall broadly into two categories which will:-
• provide greater protection for the individual; and
• give the regulator greater powers.
GDPR is likely to impact on many of our clients in respect of their processing of the personal information of their investors. If, however, your organisation is already complying with the terms of the existing Data Protection Act and has an effective data governance programme in place, then you should be well on the way to being ready for GDPR.
The Information Commissioner has produced a useful checklist setting out 12 steps which organisations should consider now in order to be geared up for the implementation of GDPR. The steps include:-
• raising awareness of the changes;
• undertaking an information audit to assess the information held, its sources and who it is shared with;
• reviewing and updating privacy notices and subject access request procedures;
• ensuring consent is freely given, specific, informed and “unambiguous”;
• considering the “lawful basis” for the processing;
• working out now when a Privacy Impact Assessment will be required; and
• if required, appointing a data protection officer.
You can find the checklist here
Compliance with the new rules will require a considered assessment of how the changes will affect your business, and it will affect the manner in which the information is collected and processed. This will have implications on resources and will require changes to internal processes and IT systems so, if you have not already done so, act now and be prepared.