Matt Jones Matt Jones | 25 Apr 2018

We are leaving the EU so GDPR will no longer be relevant  

It is a common misconception that Brexit affects GDPR and will not apply in the UK. This is incorrect. The legislation comes into effect prior to the deadline for the United Kingdom leaving the EU. Therefore, companies will have to meet the 25th of May 2018 deadline regardless. 

The UK's digital minister Matt Hancock stated that the UK Government has committed to updating and strengthening data protection laws through a new Data Protection Bill.  

It is anticipated that this bill will incorporate the EU’s GDPR into UK law, something confirmed in a statement by Elizabeth Denham the Information Commissioner, she said:   

“We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.”…“The Bill will bring the European Union’s General Data Protection Regulation (GDPR) into UK law” 

The result of this is that organisations collecting or processing personal data cannot avoid the GDPR, particularly those who are collecting data of citizens within the EU.  

The introduction of GDPR is going to result in massive fines for those that don’t comply  

You are probably already aware about the headline figures which state fines up to 20 million Euros or 4% of a company’s annual turnover. Whilst GDPR is a concern for many companies, it’s not being introduced to catch companies out, instead it aims to address the rights of the individual and their personal online data.  

It is unlikely that small to medium-sized companies will find themselves levied with a hefty fine directly after the 25th of May 2018. This is likely to be the case, as long as they have taken steps towards meeting compliance but haven’t quite achieved it. 

The Information Commissioner has stated that: 

“it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.” 

Elizabeth Denham then goes on to state that in the year 2016/2017 they concluded 17,300 cases but only 16 of them resulted in fines for the organisations concerned. 

All that said, this doesn’t mean your organisation should become complacent. We would strongly recommend working towards achieving compliance of your website and internal processes by the deadline. It's far better to plan for the GDPR now than scramble to meet the regulations later. 

Consent is required if you wish to process personal data 

The GDPR states that consent must be freely given. This means that it is no longer acceptable to assume that an individual gives consent to their data being used and processed. So pre-ticked check boxes are out.  

However, there are circumstances under which organisations can process data without a specific opt in. One area is where they have a lawful basis to do so. Examples of this include Insurance companies processing a claim or banks sharing information for fraud protection purposes.  

Another exception is if the data is required as part of a contract. So if you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract or they have asked you to do something such as provide a quote, then this is acceptable. This means that when transacting on an ecommerce website, collecting data is required as part of the contract. However, what the regulations do mean are that you are not allowed to then use this data for marketing purposes, unless the individual has positively opted in to receive this. 

There are other exceptions but probably the most relevant is that of legitimate interests. This puts the responsibility of assessing the protection of data on the company processing it, ensuring they are protecting people’s rights and interests. 

There are three steps to establishing legitimate interest: 

  • First you must identify a legitimate interest 
  • You then need to show that the processing is necessary to achieve it 
  • Finally, you must balance it against the individual’s interests, rights and freedoms 

Legitimate interests can cover a wide range of situations, the key thing is to test them against the three test criteria and clearly document the process if you are going to rely on this form of lawful basis. For a more in depth look at legitimate interests visit the ICO’s page on the subject. 

All breaches of personal data must be reported to the ICO 

GDPR legislation states that any breaches must be reported if they are likey to result in a risk to an individual’s rights and freedoms. However, if the individual’s rights and freedoms are not at risk then there is no need to report this.  

This differs from current data protection law which recommends reporting as best pratice, but it is not compulsory.  

In the event that a serious data breach does occur then there is a duty for your organisation to report the breach within 72 hours of becoming aware of the breach to the ICO. In addition to this, you must notify the individuals affected by the breach without unnecessary delay.  

GDPR is going to be a huge burden on my organisation 

For organisations already complying with the Data Protection Act then GDPR should be a relatively smooth transition for compliance. Whilst there will be extra admistraion resource required this should not burden down businesses that already have best practices in place.   

Whilst some companies will view this as yet more red tape, for the more enlightened, this presents an opportunity to improve the efficiency of your data collection and processing. In doing so, you improve the experience of your customers, which can only be a good thing. 

With the public’s lack of confidence in the security of their data online, particularly in light of recent events such as the cases with Facebook and Cambridge Analytica, the public are more concerned than ever about how their data is processed. The introduction of the GDPR should herald a new era where the trust can be restored. Acting now and taking the steps to become GDPR compliant not only is a requirement but also makes sound commercial sense.  

To help organisations such as yours meet GDPR website compliance, we have produced this website compliance guide that will help you better understand your responsibilities. 

We are also offering a GDPR website audit service that looks at compliance issues specifically surrounding your website and provides you with a report detailing actionable recommendations.