The €20 million question – are you ready for GDPR?

Posted on January 23, 2018

← Back to Info Centre

The €20 million question – are you ready for GDPR?

By 25 May 2018 all businesses and organisations may face fines of up to €20 million if they are not compliant with the General Data Protection Regulations.  Amelia Quinn, trainee advocate at M&P Legal, answers some questions businesses may have. 

 Why all the fuss?

Technology has surpassed our outdated data protection regime.  Our current data protection laws, such as the Isle of Man Data Protection Act 2002, were designed in the early 1990’s and with the turn of the 21st century there have been many advances in technology such as the internet, mobile phones, social media and other technological facilities that make sharing information considerably easier and for the most part hassle-free.  The consequence of those advances in technology is that our personal data is left exposed by the current data protection laws as they are no longer fit for purpose.

In response Europe has introduced a new set of regulations the “General Data Protection Regulations” to combat these advances in the hope of adequately protecting our personal data once again.  The United Kingdom and the Isle of Man have both indicated that they will be adopting the GDPR despite the Brexit vote to leave the European Union.

What is actually different?

For the most part, the general principles that underpin our current data protection laws are the same.  The GDPR simply goes a couple of steps further in protecting the data, for example by explicitly including in the definition of ‘personal data’ concepts such as location data, online identifiers and genetic data.  Widening the scope of the definition of personal data will impact organisations as they will now have to assess whether they are compliant with the GDPR.  The GDPR will also extend to organisations’ human resources policies and their use of internet policies internally which will have to be compliant by 25 May 2018.

In recognition of advancing technology, the GDPR introduces a low risk pseudonymous data option whereby, despite being personal data because the individual is identifiable, identification requires a key.  If that key is kept separate and secure the data becomes low risk and therefore lessens the obligations on an organisation regarding that data subject’s personal data.

Unequivocal clarity of contract terms and consent to data processing will be required under the GDPR.  No longer can organisations rely on vague all-encompassing phrases to deal with their data processing.  Organisations are likely to have to define, categorise, list and detail their involvement with personal data and any consent given by any data subject for the processing of their information will have to be unambiguous.  What this means in practice is that data controllers must revisit all of their business activities that process personal data to revise their contracts to ensure they fulfil the GDPR’s requirements for consent.  This will include a review of employment contracts (as generic consent may not be enough) and considering an appropriate policy to document how the business complies with the GDPR.

It will not merely be data controllers who need to ensure that they are compliant, the GDPR places an obligation on processors to ensure that they too are compliant – they can no longer merely rely on the controller’s compliance.

Where does this leave us?

Organisations must now, if not already, take steps to understand why the GDPR is worth paying attention to or face difficulties or even fines.  Compliance is key and organisations would do well to consider how the GDPR may affect them both internally and throughout the course of their business.

Amelia Quinn is a trainee Advocate at M&P Legal with special interests in data protection and employment laws.

Back to top