This article was published in the Winter issue of Historic House: The Historic Houses Association Magazine and is reproduced by kind permission.
Historic houses need to act now
The General Data Protection Regulation (GDPR) applies from 25 May 2018. This strengthens data protection laws in favour of individuals and introduces much larger fines for non-compliance. It is important to take steps now to become compliant.
However, let us clear up some misconceptions used to suggest that GDPR can be ignored: GDPR applies to all organisations processing personal data, regardless of their size. Though it will not apply to processing for domestic purposes, the processing of personal data for commercial or charitable purposes will be caught. Finally, although this is EU legislation, GDPR will still apply in the UK after Brexit. To emphasise this, the UK government announced legislation in August for the implementation of GDPR.
GDPR cannot therefore be ignored by the historic houses sector. So what does it provide for?
GDPR strengthens the rights of individuals. For example, if an organisation relies on consent for marketing to individuals then that consent will need to be opt-in (a positive indication of consent) rather than opt-out (an indication that the customer does not want to be marketed to). Another key feature of GDPR is its 'zero day' approach, meaning everything must be compliant by May 2018.
This means that existing opt-out consents cannot be relied upon after May 2018. Continued processing of that data on that basis, after that time, risks enforcement action. Organisations need to go back to their customers to re-consent this data or seek to rely on other grounds to process it, whilst clearly explaining this to customers. This greater transparency is another main aspect of GDPR and means that privacy policies will need to be revised and re-issued.
Many organisations also rely on third parties to help them process personal data, for example a company managing a historic house for its owners. GDPR re-calibrates these relationships because it places direct regulatory obligations on these data processors for the first time and sets out very prescriptively what must be in their contracts. Data processors will also need to provide much more help to organisations when customers exercise new rights granted by GDPR, such as the right to have data deleted. As a result, contracts with these service providers will need to be revised before zero day.
To emphasise the importance of data protection, GDPR is backed up with serious sanctions for non-compliance. Fines are set at the higher €20 million (approximately £15.6 million) or 4% of annual turnover, compared to current fines in the UK, of up to £500,000. The Information Commissioner could also order organisations to stop processing personal data until operations are brought into GDPR compliance. This could obviously be very disruptive.
We are now well over half-way through a two year implementation period. Many organisations are taking steps to be compliant, but time is running out, given the degree of change required. To achieve a basic level of compliance, a start needs to be made now to understand how personal data is being used by you, and the steps required to meet GDPR standards.
If you require further information on anything covered in this briefing please contact Ian De Freitas or your usual contact at the firm on 020 3375 7000.
This publication is a general summary. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2017