What is General Data Protection Regulations (GDPR)?
An EU Regulation which came into effect on 25 May 2018 and to which Jersey businesses will need to comply if they wish to do or continue to do business with EU citizens that use their services or buy their goods.
In addition, Jersey intends to pass a law in broadly similar terms to the EU Regulation and so all Jersey businesses will need to comply, whether or not they have customers in Europe.
What does GDPR change?
GDPR has similar core rules as existing legislation and continues to only deal with personal data.
There are key new features:-
• Risk based approach with additional oversight and record keeping being required by businesses.
• Greater individual rights which will include:
– The right to have all data erased from a business’ system and records.
– Reduced time for a business to respond to a request for access to the information it holds on an individual.
– The right for an individual to restrict the information a business holds about them and the need for them to give specific consent for certain types of information to be held.
• Children will be given greater protection regarding data held about them and the right to have information erased. •
Enhanced record keeping which businesses will be required to show the Information Commissioner to prove they’re monitoring their business appropriately.
• Compulsory breach reporting must be made within 72 hours of a business becoming aware of a breach. The correct position is that a breach is only investigated if one of the parties involved makes a complaint to the Information Commissioner.
• Sanctions under GDPR for a breach will be high at 4% of the worldwide turnover of the business or €20m (approx £18 million) whichever is the higher figure. The Jersey law fine level is yet to be confirmed.
What essential steps should a business take now to be ready for the new law?
• Raise awareness and engagement at both senior and staff levels, including training;
• Risk assess and audit of the way data is held and processed, both by the business and others which hold its data (e.g IT providers);
• “Spring-clean” the businesses’ data and remove or archive all data which should no longer be held;
• Update policies and procedures to ensure compliance;
• Review whether an individual needs to give consent for a business to hold information about them and then obtain that consent;
• Assess whether it is necessary to appoint a Data Protection Officer for the business.
What can we do to help you?
We can help you through this process, advise on what needs to happen and when, help you draft your procedures, train your staff and give you practical advice on how to interpret the laws.
To download this briefing note, please click here.