GDPR Statement

CHANGES TO DATA PROTECTION

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will replace the current Data Protection Act governing how Fluent Technologies Limited processes your personal data. The GDPR is an EU regulation and the Government has confirmed that it will apply to the UK despite Brexit.

The GDPR was developed to create a more up to date law for data protection reflecting the changes in the digital age and strengthening the rights of individuals and how their personal data is processed and protected. Many of the GDPR’s main concepts and principles are much the same as those in the Data Protection Act but with new elements and enhancements and a greater emphasis on accountability and how organisations demonstrate their compliance.

The main changes are:

Data breach fines increased: maximum fine increased from £500,000 to €20 million OR 4% global turnover. Failure to report a breach, when required to do so, can result in fines.

Breach notification: to be notified to the Information Commissioner’s Office (ICO) within 72 hours (subject to exemptions) and to the data subject where the breach might result in a high risk to their rights and freedoms.

Consent: consent to process data must be “freely given, specific, informed and unambiguous”. Consent must be provided by clear affirmative action with “explicit” consent required for sensitive personal data.

Sensitive personal data: called ‘special categories of data’ and is extended to cover genetic and biometric data.

Subject Access Requests: organisations will not be able to charge for dealing with a request and the response will need to be provided within 1 month (currently 40 days).

Right to be forgotten: data subjects can request deletion of their personal data in certain situations.

Accountability: data protection by “design and default” is required to demonstrate compliance; clear and detailed privacy notices to inform data subjects about the legal basis for processing their data and how it is processed; preparation of data protection impact assessments for high risk processing; maintain internal records of personal data being processed and retention schedules.

Data Processors: have some direct statutory obligations as well as data controllers.

Children: special protection for children’s personal data with new rules for consent.

International Transfers: restrictions on transfers outside the EU to ensure protections afforded by the GDPR are not undermined.

Fluent Technologies Limited is making preparations for the changes.

Further information will made be available as necessary on the progress towards ensuring that the company is ready for the new rules coming into force.

Date: 7th Feb 2018.