Notices & News
General Data Protection Regulation (GDPR)
6th March 2018
Dear Association Members,
IMPORTANT: CHANGES IN EU DATA PROTECTION LAW – MAY 2018
As you may be aware, on the 25th May 2018 – less than 80 days from now – the EU’s latest privacy law, the General Data Protection Regulations (GDPR) will be enforced. The regulations have a significant impact on the storage of personal data and require almost every business to review their Data Protection policies and systems, to avoid substantial financial penalties. Some obligations can be resolved fairly quickly and simply, however, particularly in large or complex organisations, there could be some substantial IT, budgetary and compliance implications.
As BACA stores a significant amount of member data, we have been actively addressing GDPR compliance for a number of months to ensure that we do our utmost to protect the information which we hold about you, our members, together with the users of our website. You will therefore see some more emails from us in the coming weeks seeking your individual confirmation to continue to store the personal information you have provided us with in the past and to contact you with information about BACA. If we do not receive that confirmation we have no choice but to remove you from our systems (which we don’t want to do!) – so you can see the potential impact is large.
For the majority of businesses, there is a need for you to appoint a person within your organisation who is responsible for Data Protection, ensure that you have permission from clients, customers and suppliers to store their personal information and to contact them. This will require positive confirmation from the individual to be received and for that to be securely recorded. Users who do not give permission should have all of their personal data anonymised and deleted from your records – it is easy to visualise the impact this has on the storage of information such as passenger names, dates of birth, passport information and address information.
As you can see, the Regulation, which has been in law for two years although largely ignored outside of the IT Industry, requires your urgent attention. The maximum fine for breaching the regulation is up to €20 MILLION, or 4% of global turnover, whichever is the greater, although it is expected that corrective powers and sanctions would be the first course of action for companies failing to comply.
This EU Regulation, which was adopted by all Member States in 2016, brings together a number of older, disjointed regulations into one new framework to protect the personal data of EU Citizens and Residents. It is therefore vital that companies based in Europe ensure they comply with the regulation.
The EU provides this guidance: https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en. And individual EU country regulators are available here: http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48619
For UK-based companies, who make up a significant proportion of BACA Members, the Regulation in the UK is enforced by the Information Commissioner: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ and the ICO’s 12-step preparation plan is available to view here: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf. You will all be pleased to know that it is likely that GDPR will be enforced regardless of the outcome of Brexit!
Whilst we would like to be in a position to provide more specific guidance on the implementation of GDPR in your particular organisation we hope you can appreciate that to do so would significantly stretch the limited resources BACA has. Therefore we would actively encourage you to research the Regulation at the above web addresses and take appropriate action. What we would say is that the task initially seems daunting but it is in reality achievable once the basic requirements are understood – if the small team at BACA can achieve it, we very much hope that our Members will also be able to!
If there is something specific that you would like to ask, please don’t hesitate to contact us, however please do note we are unable to help with the detailed specifics of implementation within your organisation.