Attendees at the Transmentum October Peer Group benefited from the expert shared advice of our panelists for a frank discussion about the myths of the General Data Protection Regulation – due to come into effect in May 2018.
There have been plenty of headlines about the confusion surrounding the introduction of the new law and the effect it will have on any business which stores and works with data. Many SME owners are unsure about whether they will need to improve their compliance procedures, with 82% of respondents to a Close Brothers survey having either not heard of GDPR or not understanding its impact on their sector.
Only 4% of SMEs felt they understood the legislation and were clear about the effect GDPR would have on their business.
At our working dinner, panel experts Ed Wright from Shakespeare Martineau LLP, Simon Ghent from Fifth Square and Matt Leipnik, founder of Chalk Circle Ltd, walked through the new legislation and answered a lot of the questions.
Paul Fileman, Transmentum Director for Momentum, said: “The Peer Group was well attended with a lively debate on GDPR. Our three panelists were made to work hard to earn their dinner. Questions were wide ranging and the answers demystified a lot of the FUD (fear, uncertainty and doubt) that is flying around on this topic.”
On May 25th, 2018 – irrespective of any other Brexit outcomes – GDPR comes into force replacing the current European legislation (the Data Protection Directive), and its UK equivalent (the Data Protection Act 1998), and it will profoundly alter the way SMEs manage and structure their customer and employee data. Non-compliance is not an option.
Consumers are going to be given beefed-up, world-leading digital rights. Data is power, and the UK wants to give consumers access to that power. This means consumers have to consent to the use of their data. They can withdraw that consent or request to see the data that companies have on them.
The Information Commissioner’s Office has been running a series of blogs written by the Commissioner Elizabeth Denham, to help businesses get the real facts about what impact it will have on their business. One in particular helped separate fact from fiction when it came to the impact the new regulations will have for anyone who holds or controls data from individual people. In her blog Ms Denham stated:
You must have consent if you want to process personal data.
The GDPR is raising the bar to a higher standard for consent.
She also went on to clarify the reality about consent further. “Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.
“The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it,” she added.
What this basically means is that, for processing to be lawful under the GDPR, companies need to identify a lawful basis before they start using personal data. So, for example, a dentist surgery contacting patients to remind them of appointments, local authorities processing Council Tax information, banks sharing data for fraud protection purposes or insurance companies processing claims, are all lawful uses of personal data.
There are also five other ways, other than consent, where data can be lawfully processed. These are outlined in this article on the IOC website:
Ms Denham continued: “Whatever you decide, you’ll need to document your decisions to be able to demonstrate to the ICO which lawful basis you use. Data protection impact assessments will be able to help you with the task of understanding how you can meet conditions for processing and make your business more accountable under the GDPR.”
You can follow the IOC’s Twitter account to get up to date information on GDPR @ICOnews and make sure you read our other blogs on the subject: