The law on data protection will change on 25 May 2018 when the General Data Protection Regulation comes into force.
What is the GDPR?
The European Union has adopted the General Data Protection Regulation ('GDPR') to update the current data protection regime (which is incorporated into UK law by the Data Protection Act 1998 ('DPA')).
The GDPR strengthens the rights of data subjects and updates the legislation in order to take account of advancements in technology since the previous regime was brought into effect. It regulates the storage, use and destruction ('processing') of personal data.
The GDPR will come into effect on 25 May 2018 and will be fully in force from that date.
What are the key changes the GDPR will make to the current DPA regime?
The GDPR makes several important changes to data protection provision. Some of the key changes include:
- The definition of personal data has been expanded to include online identifiers such as IP addresses and cookies;
- A higher standard of consent must be obtained prior to processing personal data using this basis;
- Reporting requirements to the Information Commissioner's Office ('ICO') and, in some circumstances, the data subject in the event of a breach of the GDPR have been strengthened;
- The maximum fines the ICO can impose for data security breaches have been substantially increased.
Who does the GDPR apply to?
The GDPR applies to all 'processors' and 'controllers' of personal data. Broadly, a controller directs how and for what purpose personal data is processed, whilst a data processor acts on the controller's behalf. Personal data is any information relating to an identifiable living person.
The GDPR applies to Wrigleys in the same way it applies to many other organisations. We consider ourselves to be data controllers in relation to our processing of the personal data of our clients and employees.
Additionally, there are special categories of personal data (such as ethnic origin, political opinion or health data) which have further protections afforded to them under the GDPR.
What are Wrigleys doing to prepare for the implementation of the GDPR?
We already have policies, procedures and security software in place in order to ensure compliance with the DPA. In order to ensure we are fully compliant with the GDPR when it comes into force, we have taken steps to analyse and improve our current procedures and policies:
- We have established a GDPR working party, which meets on a monthly basis, to provide strategic oversight of our review and assessing the firm's readiness for the GDPR;
- We have analysed all our data processing activities to understand what data we receive (and where it comes from), what we do with data and what data we send to others (and where it goes to);
- We have undertaken a review of all our data processing activities in order to establish and record the lawful basis for each processing activity;
- Each department has undertaken its own review of processing activities which are specific to that department. This has been undertaken with the help of the data protection committee in order to ensure that all data processing activities have been captured and recorded;
- We are in the process of refreshing the consents we rely upon to process personal data so as to ensure they are fully compliant with the GDPR;
- We are reviewing all our contracts with third parties to ensure that the provisions we have put in place to protect personal data in those contracts will satisfy the requirements of the GDPR;
- We are developing revised privacy policies and updating our terms of business to ensure our clients are fully informed of the processing we undertake;
- We are revising our data protection policy to ensure that it covers all of our data processing activities and is fully compliant with the GDPR; and
- We have developed a comprehensive training package for our employees to ensure that they all receive appropriate training on the impact that the GDPR will have on our procedures.
What does this mean for our clients and employees?
We take our responsibilities under the GDPR very seriously. As we review our current policies and procedures we will be in touch to notify you of updated policies and procedures we put in place in light of the GDPR.
Find out more
If you would like to know more about our approach to the GDPR, please get in touch with Malcolm Lynch, Peter Parker or another member of our data protection committee on 0113 244 6100.
Article: "What will the EU’s new data protection regime mean for UK charities?" Peter Parker considers how charities can comply with changes to data protection law (Published by Civil Society in March 2017)
Data Mapping Questionnaire: Undertaking a data mapping exercise is one of the first exerises an organisation should undertake in preparing to become GDPR ready. We have produced a questionnaire to help charities and social enterprises to identify the personal data held by them and the types of processing activities carried out in relation to that data.