How Do the Data Protection Changes Affect My Business?
June 9, 2016

On the 25th of May 2018, the new EU General Data Protection Regulation (GDPR) will come in to effect. Understanding these changes is important to just about any business, as failure to comply with the new law could lead to fines of up to €100m or 5% of annual global revenue (whichever is higher). Customers whose data is leaked may also claim for compensation, which can cause serious reputational damage, in addition to legal costs. Official guidance can be found on the ICO website.
 

What are the Changes?

 
The GDPR will supersede member states’ existing data protection law, including the UK’s Data Protection Act. Notably, it will also apply to companies based outside of the EU who process data of EU nationals.
 
One of the main changes from existing laws is that data protection will no longer be the sole responsibility of the data owner. Instead, anyone who processes data will be responsible for its protection, and liable to be penalised in the case of a data breach. This includes third parties, such as cloud service providers. Due to this shared responsibility, data owners will need to thoroughly vet their partners, and third parties will need to take greater measures to ensure security.
 
The GDPR also grants new erasure rights. This means that customers and clients have the right to demand that any data held on them is erased. A right to be forgotten no less. Organisations will need to have a procedure in place to ensure that this data is erased completely, across all systems and devices, and be considerate of potential obstacles to this, including the presence of syncing protocols.
 
Under the new law, it will be the responsibility of Data Collectors to inform and remind users of their rights, and document that they have done so. Users must also give explicit consent to their data being processed or transferred to another organisation, on an opt-in basis.
 
The GDPR will have broad implications across a range of sectors. Below we’ll take a look at a few specific examples;


Healthcare

 
One sector the changes will affect greatly is Health and Social Care. However, owing to the fact that national health bodies including the NHS played a consultative role in drafting the legislation, some exemptions and amendments have been made to maintain standards of care. Most notably, explicit consent is not required for processing personal data concerning health, as information exchange is vital for collaboration between different healthcare providers.
 
Under the GDPR, data private subjects may request a copy of any information held on them, without being charged. Many medical authorities keep patient records in a paper format, which can make it time consuming and costly to process such requests. As such, it is advisable that these bodies move to an electronic system for keeping records before the law comes in to effect in order to simplify this process and reduce costs.
 
The new erasure rights may also be inconsistent with current practices of some healthcare bodies, who rarely delete any data from patient records. Instead, if a correction is made to the record, a note is left on it to maintain an audit trail. Organisations will need to reconsider their practices to ensure that they are compliant with the new law.


Childcare and Education

 
Under the GDPR, the age of consent for data processing will be 16 by default, with individual member states having the option to lower this to 13. Processing of data belonging to children younger than this will require parental consent. Companies operating across the EU may choose to maintain 16 as the age of consent, in order to simplify their processes, more easily maintaining compliance.
 
Parental consent is not required in the context of preventative or counselling services which are offered directly to children, allowing these services to continue to be provided to those in need.


Financial and Legal Services

 
Owing to the potentially sensitive nature of their client data, providers of financial and legal services may be particularly vulnerable to legal action in the case of a data breach, because of the possible damage to the subject’s reputation. As a result, data protection will be a key concern for any administrative systems used in these sectors.
 
The GDPR contains strengthening of rules which require organisations to have a legitimate interest in any data they collect. Because of this, organisations will have to be able to justify any data they hold on customers or clients. As such, it may be advisable to have systems and processes in place to regularly remove data which is no longer relevant.


All Businesses

 
When thinking about the changes to data protection law, all organisations should start by understanding what data they process and why. This understanding must then be built in to all of their processes and systems, with a view to ensuring security and compliance with the GDPR.
 
As these changes to data protection law may cause difficulties for organisations on implementation, changes to processes and operations should be carried out as soon as possible, potentially including the investment in secure and data compliant software systems.
 
May 2018 might seem like a long time away, but becoming compliant as soon as possible will allow organisations to avoid issues when the changes come in to effect. Early adoption will afford businesses a buffer period to overcome possible teething issues, while compliance before the deadline could help organisations avoid incurring penalties. Being proactive in this sense may also offer the competitive advantage of winning customer trust and assurance.

If you’d like to discuss a custom software project or want to know more about our secure cloud services feel free to call us on 028 90 87 2222 or drop us an email.

 

Disclaimer

 
Etain Ltd make custom software; we aren’t legal professionals. The information above is presented in good faith, and is intended as a high-level guide to help you understand the potential effects of the GDPR.
 
If you are unsure of your position, you should not hesitate to consult a legal expert or your local regulatory authority. The full text of the General Data Protection Regulation can be read here.

Return to blog

We're Hiring

Interested and want to know more?Send us an email