The GDPR comes into force on 25 May 2018. It will reform data protection law fundamentally throughout the EU.
As a Regulation, it will have a direct effect, repealing the Data Protection Act 1998 (DPA) which was implemented by Directive 95/46/EC. The UK’s departure from the EU will have no effect: the UK will be bound by it until it leaves the EU in 2019, but even in the event that the UK faces “hard Brexit”, legislation in substantially the same form will need to be preserved or re-enacted to ensure that EU countries can export personal data to the UK. A data protection bill designed to achieve this was announced in the Queen’s Speech this month.
In the GDPR, key definitions and the 8 data protection principles are effectively preserved. The role of the Information Commissioner’s Office (ICO) as the UK’s supervisory body for data protection matters will be enhanced and will remain central to the task of advising businesses and individuals on the new legislation and enforcing its provisions.
Why do we need new legislation?
The growth of data technologies has meant that the DPA is now passing its “best before” date. Technology developments that will involve new ways of processing personal data include social media, artificial intelligence, the “internet of things”, “big data” and also genetic/biometric data. More widespread abuses of personal data and well-publicised data security breaches have led to a growing public expectation of privacy. In the interests of harmonisation, the European Commission also wishes to correct increasing divergencies in national law.
There will be a greater compliance burden on businesses, which will need to put data protection compliance “centre-stage” by instituting “privacy by design and by default”. All data processing activities must take a risk-based approach backed by good compliance documentation. Data controllers will need to make Privacy Impact Assessments before implementing new technologies/data processing techniques.
There will no longer be a requirement to register or notify data processing activities with the ICO but the ICO, will have the right to inspect all compliance documentation. It will therefore be essential to document everything done to achieve compliance with the GDPR and the reasons why certain policies relating to personal data have been adopted.
One particular issue which has already given rise to much discussion is consent. If data subjects have given consent to process their data, such consent must be “freely-given, specific, informed and unambiguous”. It is very likely that in most cases fresh and very specific consents will need to be obtained. The days of opt-out or pre-ticked opt-in boxes are now truly gone.
Data subjects will have enhanced data subject rights in connection with making “subject access requests” (SARs), making objections to data profiling and insisting on data portability.
They will have a formal right of erasure – the so-called “right to be forgotten” enforced by seeking comprehensive deletion of all personal data records held.
In the event of a security breach, data processors will be obliged to notify the ICO within 72 hours of its occurrence. Failing to notify could result in significant penalties even if data subjects are not put at significant risk.
The GDPR will make it mandatory for public authorities and entities that process “sensitive” personal data to appoint a data protection officer. Such a person will have effective whistleblower protection and must have access to senior personnel. This is entirely consistent with the implementation of a culture of design protection by design and by default.
Sanctions and penalties
These will be much higher. Monetary penalty notices (MPNs) for “serious contraventions” of the DPA causing “substantial damage or distress” can presently result in a maximum monetary penalty notice (MPN) of £500,000. After the GDPR is implemented, MPNs equal to the greater of 2% or 4% of annual worldwide turnover (or €10,000,000 or €20,000,000) respectively in the previous financial year depending on the type of breach. MPNs may be imposed on data processors as well as data controllers. Relevant parties will also remain subject to civil actions for damages.
Businesses and organisations of all kinds must now look long and hard at how they treat personal data, whether of employees, customers, potential customer or contacts. They should begin a risk evaluation of every aspect of their activities that involve the processing of personal data, taking account of matters such as the effectiveness of any consents they already hold.
It will also be necessary for organisations to review data protection clauses in commercial contracts as well as stand-alone data processing agreements with third-party processors.Now would also be a good time to examine the security measures taken with respect to preserving the privacy and integrity of personal data that is held. The legal basis for exporting data outside the European Economic Area should now be reconsidered and data processor/controller contracts reviewed. More day-to-day matters, such as investigating the reasons why personal data is kept for as long as it is, and whether the business is geared up to respond promptly and effectively to a SAR or a request to delete or modify data, must now be given active consideration.
For further advice on the above topics, please call us on 01483 543210 or alternatively email email@example.com