Posted by Gary Mackley-Smith on August 9, 2017
Following the government’s intention to introduce a new Data Protection Bill, businesses face new regulatory burdens in order to provide greater safeguards for individuals.
And despite Brexit, the bill will incorporate into UK law the EU’s General Data Protection Regulation (GDPR), which comes into effect from 25 May 2018.
As there is now less than a year before the new regime take effect, organisations need to take action sooner rather than later.
In summary, the bill will:
A key headache for businesses that collect personal data will be the requirement to show how and when they obtained explicit consent for the information they hold from the individuals concerned. Further regulations and guidance are expected on this issue.
Individuals will be able to request, free of charge, a copy of their personal data that is being processed. Additional copies can be accompanied by a “reasonable fee” for administrative costs.
Businesses will have to notify the Information Commissioner’s Office within 72 hours of a data breach taking place, if the breach risks the rights and freedoms of an individual. In cases where there is a high risk, businesses must notify the individuals affected.
The Information Commissioner will be given greater powers to regulate the protection of data, including the ability to issue fines of up to £17m or 4% of an organisation’s global turnover for serious breaches of data.
Organisations also face unlimited fines where they intentionally or recklessly identify individuals from anonymised data.
Firms will have to record what personal and personally sensitive information they hold in manual and electronic files, along with details of management responsibility for that data, and policies on storage and deletion.
A risk assessment may be required where the processing of information is considered to be on a large scale or risky.
Businesses which process certain categories of data will have to appoint a data protection officer to advise on data issues, handle complaints and ensure compliance with the rules.
Major companies such as Microsoft and Google offer cloud-based services that can encrypt stored information, to make sure it cannot be used if stolen. Firms may wish to use these services in future as a way of complying with data protection rules.
The Information Commissioner’s Office has an area on its website with more information, including a 12-step guide on action to take.
If you would like to discuss the implications of the Data Protection Bill, please contact your usual Bishop Fleming adviser.
Here you can download Bishop Flemings document providing information about bringing your own device
Download (317 KB)