This article first appeared online at Business Insider on 10 March 2017.

The EU General Data Protection Regulation (GDPR) will be the biggest shake-up of data protection law for 20 years, affecting any organisation that uses or holds information about living individuals ( "personal data").

With the UK Government having confirmed that it expects GDPR to come into force in the UK as planned in 2018, despite Brexit, planning now for the new regime is advisable.

What is the purpose of GDPR?
GDPR seeks to overhaul the existing data protection regime - in the UK, the Data Protection Act 1998 - to modernise the legislation and to regulate increasingly sophisticated uses of personal data (such as big data and data profiling), which weren't contemplated when the old legislation was drafted.

In addition, GDPR seeks to raise the bar in terms of making organisations more accountable for how they use personal data and putting the onus firmly on them to demonstrate that they are complying with GDPR's requirements.

What are the key changes?
GDPR builds on the existing legislation, so many of the concepts from current data protection law are retained in the new regime. To that extent, GDPR is evolutionary but GDPR is a game-changer in terms of imposing new and potentially onerous obligations on organisations, backed up with a significantly beefed up fining regime for failures to comply.

1. Consent - the requirements for 'consent' are tightened so that 'clear affirmative action' will be required for consent to be established.

The days of pre-ticked boxes will finally come to an end. Instead, individuals will need to actively consent to the processing of their data for one or more specific purposes and, where consent is sought for multiple purposes, then that consent will need to be unpacked so that individuals can consent to some purposes but not others.

2. Transparency - organisations must provide more information to us when they obtain our personal data to explain in more detail how that data will be used, how long it will be retained and, if it to be stored outside the EEA, where it is to be held and how it is to be safeguarded.

3. Access - the rules allowing us to access our personal data and to obtain information about how that data is being used are being strengthened and the timescale for responding is being shortened.

4. Privacy by design and default - organisations will be obliged to 'hardwire' privacy considerations into their day-to-day operations and projects through measures such as minimising the amount of data held and activating privacy-friendly settings in technology.

5. Profiling - individuals are given protections against automated decision-making, including decisions based on profiling

6. Breach notifications - there are express statutory obligations to notify privacy regulators and affected individuals in the event of a data privacy breach where there is risk of harm to individuals.

7. Accountability - organisations will have to be able to demonstrate to privacy regulators that they are complying with the GDPR on an ongoing basis.

8. Sanctions - the maximum fines that can be imposed for serious contraventions are ‚¬20 million (approximately £17 million), or 4% of total worldwide turnover for businesses) but lesser contraventions also carry hefty fines.

What should I be doing now?
Although May 2018 seems a long way off, for most organisations there will be a lot to do so the time to act is now.

Some basic preparatory steps include:

1. Resource and planning - plan your project and get it properly resourced. Consider whether you need to appoint a data protection officer.

2. Information mapping - build a complete picture of the personal data you hold, where you hold it, where it comes from and what you do with it.

3. Data minimisation - if you hold personal data you no longer need, cull it now (securely).

4. Technology - make sure that any new technology you buy/develop is GDPR-compliant.

5. Contracts - the contracts you enter into now may last beyond May 2018. Futureproof them as far as possible.

In addition, the UK Information Commissioner's Office is a good source of information on GDPR, including publishing regulatory guidance on key compliance areas.

What's the incentive?

If the penalties for breaching GDPR aren't sufficient enough incentive, taking data protection compliance seriously makes sense from a business perspective as well.

Over the last year, we have seen that major brands risk real damage and loss of trust where they have had data issues.

In the case of Talk Talk, the cost of the data hack was £42 million and the loss of 100,000 subscribers.

In the charitable sector, the British Heart Foundation and Royal Society for the Prevention of Cruelty to Animals have recently been fined for inappropriate screening of donor data as part of its fundraising activity, which may impact on future donations.

With individuals becoming increasingly aware and concerned about privacy issues, those who take GDPR seriously will not only avoid the larger fines that contravention will carry, they will also be able to make a positive message about trust and that may increasingly be a differentiator from those around them.

Grant Campbell is Head of the Commercial Services Division at Brodies LLP. For more information, contact Grant.
