On 25 May 2018, the General Data Protection Regulation (GDPR) will come into force, replacing the Data Protection Act 1998. The changes, in the main, place the responsibility for protecting personal data squarely at the feet of businesses who hold that data. And the identity and recording requirements of the Scrap Metal Dealers Act 2013 mean that, to carry on business lawfully, scrap metal dealers must hold personal data and often a great deal of connected data.

So, what is personal data?
Relating to a living individual, personal data enables the holder of the data to identify that person. The data fall within the definition even if the holder of the data (or data controller) can only identify the individual with the help of other information it holds. In other words, CCTV footage or a simple vehicle registration number may be sufficient to identify a person, and so could fall within the definition of personal data, depending on the other information the data controller has.

What is new in the GDPR?
There will be a new accountability principle, which means scrap metal dealers must have policies and procedures in place to show they comply with the new law.

Another key principle is security, both off-and online. Organisations, such as scrap metal dealers, which hold payment card and BACS details, together with copy documents such as driving licenses, are advised to be particularly vigilant to avoid theft, including identity theft, from individuals.

Cyber-attacks, in particular, can be both high profile, disabling, and may lead to significant reputational issues. For example, there have been several debilitating breaches of security because large organisations failed or neglected to download patch updates to their software.

Two principles in particular, retention and accuracy, are likely to be of particular relevance to metal recyclers. Personal data should not be retained for longer than is necessary. Given the SMDA requires the retention of records for three years, keeping them any longer than this could lead to companies being in breach of the retention principle. If the information is in any way out of date, they could also fall foul of accuracy requirement as well.

More importantly, the Information Commissioner will now have the power to impose fines for breaches of up to a maximum of four per cent of annual turnover.

What should we be doing?
While many companies will have registered with the Information Commissioner's Office as a holder of personal data, many will not have taken any action since.  Now, to ensure compliance with the GDPR, dealers will have to: designate a member of staff with responsibility for data protection; introduce a Data Protection Policy; and, possibly, introduce a Data Retention Policy. They will also be required to report any breaches of the law to the Information Commissioner.

Before drawing up and implementing these policies, companies will need to carry out a review of the personal data they hold, how that data are held, and who has access to that data. It may be advisable to carry out a Privacy Impact Assessment and review any contractual arrangements with third party suppliers. However, for small and medium sized dealers, this exercise is likely to be quite straightforward.

What about Brexit?
Brexit is unlikely to affect the introduction of the new law, which comes into force before the United Kingdom leaves the European Union. In any event, the UK will need a regulatory regime

similar to the GDPR, in order to continue to do business with the EU.

In conclusion, the Information Commissioner emphasises the importance of conducting individual assessments, and making decisions based on the particular requirements of your own business. Adopting standard data protection policies and procedures is likely to mean you cannot justify your decisions when something goes wrong. Compliance cannot be bought in a tin off the shelf.