The General Data Protection Regulation (GDPR) will impose significant burdens on companies including a substantial amount of additional reporting requirements and increased fines and penalties. GDPR will have an impact on all property companies. Any company with employees, using CCTV or processing any personal data about residents, tenants or members of the public, customers and visitors must comply with the new legislation or face fines of up to £17m or 4% of annual turnover (whichever is greater). In light of this, it is now definitely cheaper to comply with this legislation than not to! The new law comes into force in May 2018.
So what is the difference between the current law and the GDPR?
|CCTV||The ICO has a code of conduct for CCTV users which recommends a sign is erected notifying visitors they are being recorded.||Companies should revisit the signs – for example the sign should state that automatic number plate recognition software is used and give contact details.|
|Contracts with data processors and joint controllers||The current law did not make contracts compulsory but it was regarded as good practice||Contracts must be entered into with data processors and must cover 11 mandatory issues.|
|Data Protection Officer (DPO)|
|Currently 4 out of 28 member states in the EU require a DPO to be appointed for most organisations.||Controllers and processors must appoint a DPO if they carry out processing involving the ‘regular and systematic monitoring of data subjects on a large scale’ or if they process sensitive personal data.|
|Fines and penalties||Currently, fines for breach of are a maximum £500,000.||Fines increase to the greater of 4% of worldwide annual turnover or €20 million.|
|Legal rights of Data Subjects|
|A Data Subject can request a copy of their data on payment of a nominal fee and has a right to rectify errors.||The subject access fee is abolished and companies must respond within one calendar month. There are new rights to erase data too (if it is no longer needed).|
|Under current law an opt-out can be relied on by marketers for gaining marketing consent (for example, ‘tick here if you don’t wish to receive offers’ etc).||Marketing consent must be explicit and in the form of:|
|Notifying breaches||Notification of breaches to the Information Commissioner’s Office (“ICO”) is effectively voluntary.||Breaches must be reported to the ICO within 72 hours and in some cases data subjects will have to be notified too.|
|Registering with the ICO and Legal Processing||Under the current regime, organisations are required to ‘register’ or ‘notify’ the ICO.||ICO notification or registration is abolished. However the ICO has recently indicated it wants to keep some form of register.|
Where to begin?
The starting point for most companies will be to check what personal data they hold and what they use it for. This can reveal security loopholes such as how data is backed up and stored. The key to complying with the GDPR is transparency and accountability. No-one should be surprised about how their personal data is being used and there should be a clear path to amend records if they are incorrect.