General Data Protection Regulation and its implications for Farms and Estates

General Data Protection Regulation and its implications for Farms and Estates

 

What is GDPR?

The General Data Protection Regulation (GDPR) will come into effect in the UK from 25 May 2018. Even though GDPR is Europe’s new framework for data protection laws, the Government has confirmed GDPR will continue to apply to the UK after Brexit.

Does it apply to me?

The GDPR has a huge scope and will apply to almost all farms and Estates. If your business processes, stores or transmits personal data then GDPR will apply to you. ‘Personal Data’ means any information that can directly or indirectly identify a person. For example, tenant names and contact details, employee information and customer lists. The GDPR applies to both automated personal data and paper records.

The one exception is that the GDPR does not apply to people processing personal data in the course of exclusively personal or household activity. This means you wouldn’t be subject to the Regulation if you keep personal contacts’ information on your computer or you have CCTV cameras on your house to deter intruders.

What do I need to do?

The current UK data protection law encompasses many of the main concepts and principals of GDPR. However, there will be additional obligations and potential liabilities. The Information Commissioners Office website provides some useful information on preparing for the GDPR, but in brief the following steps are recommended:

  1. Awareness – Make the relevant people in your organisation aware that the law is changing and the implications of GDPR for your business
  2. Information Audit – Undertake a data audit and document what personal data you hold, where it came from and who you share it with
  3. Privacy Notices – Review your current privacy notices and implement any necessary changes to encompass the requirements of GDPR
  4. Individuals Rights – Ensure your procedures take into account all the rights individuals have in respect of the data you hold
  5. Access Requests – Consider how you would handle data requests from individuals
  6. Lawful Basis – Establish the lawful basis upon which you currently process personal data
  7. Consent – Consider whether you need to obtain consent for the data you process
  8. Children – do you need to obtain parent or guardian consent for the data you process
  9. Data breaches – Check your procedures for dealing with a personal data breach
  10. Take responsibility - Designate someone in your organisation to take responsibility for data protection compliance

 

For further information contact Rebecca Ruck Keene email