Get ready for the new General Data Protection Regulation

The new General Data Protection Regulation (GDPR) was recently agreed and will come into force two years from publication, so by 25 May 2018.

Its reach is wider than the existing Data Protection Directive and it will apply directly to controllers and processors of data. It gives more control to individuals over the use of their personal data and will be more consent-based than current data protection laws.

The GDPR brings in a set of uniform rules across the European Economic Area and will have direct effect so does not require implementing national legislation. Businesses need to start preparing for the changes to come.

New mandatory requirements will be introduced:

• The right to be forgotten.
• The right of portability.
• Privacy by design.
• Data protection officers for all organisations processing sensitive data on a large scale or having large scale customer databases. SMEs will be exempt unless personal data processing is a core business activity.
• Privacy impact assessments (with limited exception for SMEs unless high risk).
• Serious security breach notifications to the national supervisory authority without undue delay: within 72 hours where feasible.

There will be a tiered approach to penalties for breaches of the GDPR. Fines of up to 4% of global annual turnover for the previous financial year or €20 million, whichever is higher, can be imposed depending on the breach.
The GDPR will also apply to organisations outside Europe which are targeting goods and services at or tracking/profiling individuals in Europe.

So what should businesses handling personal data be doing to prepare for the changes that the GDPR will bring in?

• Make sure the board are aware of the new requirements and penalties and the risks to the business if not GDPR compliant within the next two years.
• Appoint and train a Data Protection Officer. One may be mandatory under the GDPR but even if not, appointing one may be a good idea given there will be a lot to do.
• Assess what personal data is processed around the business and re-examine all existing data protection policies, training, privacy notices etc. Ensure they are up-to-date and compliant with current laws and start working on them now to make sure they will be GDPR compliant
• Assess what processing of personal data will need to be consent-based in future, whether the business already has the necessary consents (do they meet the new conditions) or whether fresh consents need to be obtained? If so, what information should be provided to the data subject so that the consent obtained is informed consent and how will you evidence this?
• If the business doesn't already have them, consider implementing compliance tools, such as Data Protection Impact Assessments, a Security Breach Handling Policy and so on. They will be a must, not a nice to have, once the GDPR is implemented.
• Update data processor and security provisions in contracts to cover extended processor obligations that controllers must contractually impose. Data processors must themselves consider what additional risks such provisions will have on their businesses. They will also have direct responsibilities and face potential fines under the GDPR.

To find out more about GDPR and the automotive industry, visit www.gowlingwlg.com/driverless to download "Are you data driven?", a white paper prepared by Gowling WLG on behalf of UK Autodrive.

This article was originally published on Motor Finance in June 2016.