Anyone in business in the UK who collects or processes data from European Union citizens needs to be aware of the General Data Protection Regulations (GDPR) which come into force on 25th May 2018.
Whether you are a business owner holding a Tier 2 or 5 Sponsor Licence, a director of a company on a Tier 1 Entrepreneur Visa, or a freelancer having entered the UK on a Tier 1 Exceptional Talent Visa, not only must you be up to speed with the changes the GDPR will bring, but your organisation must be fully compliant before they come into force.
OTS Solicitors is a highly-ranked Legal 500 law firm and has years of experience in Immigration Law. Our London-based immigration solicitors can provide companies and individuals with the best advice on the requirements of the GDPR and how to achieve compliance.
What is the GDPR?
The GDPR is an EU directive which was passed on 24th May 2016. The reasons to change the law are two-fold; 1) to bring the law surrounding data protection up to date with the ubiquitous use of social media and cloud computing, 2) to create a uniform regime across the entire EU, a move that is expected to save businesses collectively €2.3 billion per year.
All controllers and processors of data must comply with the GDPR. Failure to do so can result in a fine of €20 million or 4% of global annual turnover – whichever is highest. A data controller is an individual who determines how and why personal data is to be processed, and a processor is someone who does the actual processing.
The British government has made it clear that the GDPR will continue to apply post-Brexit. And it is not only businesses that will be affected. Charities, NGOs, local government and healthcare providers will all need to ensure they are fully compliant with the incoming regulations. Tier 1 Entrepreneur Visa holders who plan to invest in a start-up need to be aware that new ventures must be compliant with the GDPR from day one.
The Information Commissioner’s Office (ICO) will be responsible for enforcing the GDPR in the UK.
The GDPR contains six general principles as laid out in Article 5, which directs that all data must be:
- Processed fairly, lawfully and transparently;
- Collected for specified legitimate purposes only;
- Adequate, relevant and limited to what is necessary in relation to its purpose;
- Accurate and kept up to date;
- Stored for no longer than is necessary; and
- Processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage.
How to achieve GDPR compliance?
The most important first step to GDPR compliance is to conduct a full audit of all your data, establishing what your organisation currently holds, where it is kept and who has access to it. Any weaknesses in your data protection policies and procedures should be identified and dealt with.
You will need to ensure that the personal data your organisations collects is gathered legally and within strict legal guidelines. When processing the data, make sure it is protected from misuse and/or hacking and be available to its owner if requested.
Each business will have its own method for achieving GDPR compliance as there is no ‘one size fits all’ model available.
The ICO states; “You are expected to put into place comprehensive but proportionate governance measures. Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.”
After making a detailed review of the data held, your organisation should take the following steps to meet compliance:
- Appoint a Data Protection Officer (DPO). This is a requirement under the GDPR if you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.
Even if you are not required to appoint a DPO, it is good practice to have someone in charge of data protection who will ensure your organisation reaches compliance and continues to comply with the regulations going forward.
- Communicate GDPR requirements throughout your business. Make sure those who are processing data understand the new legal framework. For example, if your marketing team is collecting and processing data to conduct direct marketing campaigns, they must be aware of the GDPR requirement that consent to use data must be clearly and expressly provided by the owner. This is likely to be best achieved by adopting a policy of ‘opt-in’ consent from May 2018 rather than ‘opt-out’; the model which many companies currently use*.
- Make sure all your organisation’s data, whether contained on a mobile device or a personal computer reaches a central location for storage. One of the primary GDPR requirements is that any data breach must be reported to the ICO within 72 hours of you becoming aware of it, and if the breach is likely to result in a risk to people’s rights and freedoms. If your business is a multi-national with several servers and individuals storing data on individual devices, tracking down where the breach occurred and who has been affected can be like trying to find a needle in a haystack. Although the ICO will not expect a full-scale report immediately following a breach, it will want details of the likely scope and the reason for the breach, mitigation actions you plan to take, and how you will address the problem. Having data stored in a centralised system (taking care to encrypt it) can save valuable time if a breach occurs. In addition, data owners will be able to demand access to their data and for it to be erased from your system under the GDPR. This is much easier to achieve if everyone knows where all the data relating to an individual is kept.
Preparation for the GDPR should be on the radar of all companies before we move into 2018. And if you plan to move to the UK in the New Year to join an existing business or launch a start-up, it is crucial that you understand the compliance requirements.
* An example of an ‘opt-out’ clause is “Please tick if you do not wish to receive updates on our latest offers and products.
OTS Solicitors is one of the most respected immigration law firms in London and is a Legal 500 leading firm. By making an appointment with one of our business immigration solicitors, you can be assured of receiving some of the best legal advice available in the UK today. Please contact us on 0207 936 9960.