On May 25th the General Data Protection Regulation (GDPR) will come into effect and is set to introduce some significant changes. It may not be the first thing a park owner thinks about, but data protection laws here in the UK apply as much to holiday and home parks as they do to any other business sector.
The impact of these changes and identifying what issues are relevant will be a challenge for many park owners. So what is changing and what should you be doing now to make sure that next year does not hold any nasty surprises? Iain Jenkins, a legal expert in GDPR from Blacks Solicitors LLP, provides an overview on everything park owners need to know:
Does the GDPR apply to me?
“The answer is almost certainly yes. The obligations of GDPR fall on all organisations which process personal data regardless of their size or type. “Processing” includes using data in almost any way whatsoever (including receiving it, storing it, copying it and destroying it); personal data is any information from which a living individual can be identified and will include, for example, information relating to customers and employees. Those definitions are very broad and as a park owner or operator you are almost certainly subject to the GDPR and everything in it. “
How will Brexit affect GDPR?
“One thing to note at the outset is that there is almost no chance of the GDPR going away. Technically it is already part of UK law and both the government and the Information Commissioner have made it clear that it will come into force as planned, regardless of how Brexit negotiations go. Even if there was a complete change of direction, you would still have to comply with the GDPR if you sell goods or services to EU citizens.”
How will the changes impact the rights of individuals?
“In a nutshell, old rights are being strengthened and new rights being introduced. There is a new “right to be forgotten” which gives individuals the right to require you to remove their data from your systems and the right to data portability, designed to allow individuals to obtain and reuse their personal data for their own purposes across different services. Subject Access Requests, which are nothing new, will have to be complied with in less time (one month as opposed to 40 days) and the right to impose a fee of up to £10 for processing a Subject Access Request is being removed.”
What are my obligations as an organisation?
“Even where individuals’ rights remain the same, the obligations placed on organisations in relation to them are set to become stricter. Keeping a record of the decisions you make regarding data protection is now a legal requirement, as is maintaining records of what data you have and why you have it. Much more information is now expected to be provided to individuals as well in the form of privacy policies.
“It is important to note that these obligations apply regardless of the size of your operation.”
Tate Chakrabarty, another legal expert at Blacks Solicitors, adds his advice on what to do now:
1.Make sure that the key decision makers are aware of data protection generally and that the law is changing in less than a year. Provide staff training to those who handle the data on a day to day basis and ensure they are up to speed with the obligations on the business and the way to use/store data that is obtained.
2.Assess what information you have, where it came from and who you share it with. What you will need to do will depend on the data that you have.
3.Document the result of your assessment.
4.Check that you have privacy policies in place and if so that they set out the basis for processing data and what you do with it.
5.Familiarise yourself with the rights of individuals and satisfy yourself that you can deal with a request for those rights to be acted on. If you are a large operator, you should have written procedures in place to do so and make sure that your employees recognise such a request if one comes in.
6.Make sure you know what to do if there is a data breach (for example, if an individual’s data goes astray). Put a procedure in place to deal with reporting and investigating a breach.
7.Record everything you do. Accountability, being able to show what you have done to comply with your obligations, will be vital.
8.Don’t leave everything until the last minute do a data protection audit now!
Blacks Solicitors LLP is the leading law firm in the North of England for the parks sector. Our Parks Team is made up of specialists who have combined their technical legal knowledge with an understanding of the parks industry to offer a wide range of services including transactional services on the sale and disposal of parks, regulatory and management services in relation to a wide range of matters on parks (including disputes and managing employees) and succession planning.