21 May 2018

Atta Legal Update: GDPR

As you will be aware the new General Data Protection Regulation comes into effect on 25 May. It covers data held anywhere in the world relating to EU citizens and therefore can cause issues for businesses based outside the EU as well as within it. It remains to be seen however how any enforcement action could be taken outside the EU itself since it is each individual government’s obligation to enforce the new rules. In the UK that is the role of the Information Commissioner, www.ico.org.uk where members can find a handy simple 12 step guide to the new rules.
The fundamental issues are to ensure that data is held for as short a period as necessary, is relevant, has the consent of the person concerned and that anyone, at any time can demand to see copies of all information held and demand that it be deleted or amended if so wished. The new Regulation carries with it a threat of fines of up to 20 Million Euro for breaches of the new law but this is really cloud cuckoo land, in reality a letter of warning is likely to be the outcome if a complaint is made, and very few complaints are made in any event. If there has never been a complaint about data in the past, there is no real reason to assume that situation will change in future.
The real change is the need for new Privacy Notices setting out what data you will hold, why you hold it, what purpose it will be used for, and how to have it changed or deleted. This Draft is intended to cover all eventualities but for those who do not use data to analyse bookings for example, simply remove the whole section. There should be a hyperlink for any website to the Privacy Notice and members should consider how they approach existing clients currently on their database.
The vast majority of UK businesses have emailed the database asking for permission to continue to hold customer details with a warning that if there is no reply before May 25, they will be removed. This is likely to result in a huge drop in your database but is clear way to show compliance. Alternatively an email could be sent telling customers that a new Privacy policy is in effect, with a link to it and if they wish to removed as a result they can unsubscribe. This is likely to be see fewer losses and is probably equally compliant. The ICO however has been reluctant to give advice in this respect but it seems so long as businesses can show a reasonable effort has been made to comply, that should be sufficient.