Cloud computing – the legal considerations
Hosting, processing and storing data remotely raises some specific legal issues for UK business. We explore just what...
In May 2018, a major new legal framework will apply to every country in the EU. And if your company doesn’t comply, you could stand to face some major fines.
You might not have heard of it yet, but General Data Protection Regulation (GDPR) is a major new legal framework for the EU, which applies to personal data (including online identifiers like IP addresses) and organisations’ responsibilities when it comes to protecting this personal data.
GDPR comes into effect on 25 May 2018 and will apply to all companies operating within the EU, as well as those outside the EU who offer services to member states. These companies will be held accountable for personal data – they must comply with the principles of the regulation and demonstrate this compliance, for example, by documenting decisions taken around a processing activity.
Worryingly, most companies haven’t taken the appropriate steps to comply. According to Symantec’s State of European Data Privacy report, a staggering 96 per cent of companies don’t fully understand GDPR. An overwhelming majority (nine in 10) have concerns about their ability to become compliant, while less than a quarter (22 per cent) consider compliance a top priority within the next two years.
Clearly, there’s work to be done.
If your business isn’t compliant by May 2018, you could face significant fines. Thankfully, there’s still time to remedy the situation, but you need to act now.
The first step is to ensure decision-makers and key people in your organisation know that the law is changing. Document what type of personal data your company holds, where it came from and who you share it with (this can be a big task, so an information audit may be in order). Review current privacy notices and plan for any changes you need to make before GDPR comes in.
Under the terms of GDPR, individuals have a right to be forgotten (i.e. have their data deleted from the company’s system) so check that your procedures cover all the rights that individuals have, including how to delete personal data and that you can provide it if requested.
Processes in place
Procedures need to be updated, and you should plan how to handle subject access requests within the new timescales. Look at the types of data processing you carry out, identify your legal basis for carrying it out and document it.
Review how you seek, obtain and record consent, and make any necessary changes. Put systems in place to verify individuals’ ages and to gather parental/guardian consent for data processing. You’ll also need the correct procedures in place for detecting, reporting and investigating personal data breaches, and should familiarise yourself with the Privacy Impact Assessment code of practice for information on how and when to implement these guidelines.
Designate a data protection officer, if required, or someone responsible for data protection compliance. Finally, if your company operates internationally, determine which data protection supervisory authority you come under.
If you’re in the UK, don’t think Brexit means GDPR won’t apply to you. UK companies operating internationally must still abide by it. It will take a big upheaval to comply with GDPR, but if you start now, you can easily get your company in order before it’s too late.