The EU General Data Protection Regulation comes into effect on 25 May 2018, representing the greatest change to data protection laws in a generation. Currently, data protection in the UK is governed by the Data Protection Act 1998 (based on the Data Protection Directive (“DPD”)). There has been a call for reform in large part due to the major advances in information technology; in particular, the way in which individuals and organisations communicate with each other and share and store personal information through the use of electronic communications, social media, the cloud and the internet generally.
Many of the concepts and principles in the new legislation are much the same as those in the current Data Protection Act. For example, certain key concepts such as data subjects (ie individuals), personal data, data controllers and data processors broadly remain the same. However, there are important new elements and some things would need to be done differently. The Information Commissioner has warned as follows: “If your organisation can’t demonstrate that good data protection is a corner stone of your business policy and practices, you are leaving your organisation open to enforcement action that can damage both public reputation and bank balance, but there is a carrot here as well as a stick: get data protection right, and you can see a real business benefit”.
Below is an outline of some of the key points under the General Data Protection Regulation (“GDPR”). The Information Commissioner’s Office (“ICO”) is advising that businesses should take action right away and review their existing compliance procedures so that they are ready for when the new law comes into force. A checklist has been issued by the ICO setting out 12 steps businesses can take now in preparation
- New approach to compliance – businesses would become responsible for assessing the degree of risk that their processing activities pose to data subjects. For example, data controllers may need to maintain documentation, carry out privacy impact assessments and process only the minimum personal data necessary. In some cases, a data protection officer may have to be appointed.
- Registration – there would be no need to register with the ICO. Instead, businesses with 250 or more employees would have to record their processing activities in detail and in a prescribed manner. Smaller businesses would only be subject to this new obligation if the processing is likely to result in a risk to the rights and freedoms of individuals.
- Consent – a very high standard of consent would be required under the GDPR. Data subjects would, in future, need to give freely a very clear, affirmative, informed indication of their consent. Explicit consent would still be required to process certain categories of personal data. Individuals would have to be informed of their right to withdraw consent at any time.
- Relevance to non-EU businesses – those who are currently not required to comply with the DPD would need to comply with the GDPR; for example, where they offer goods / services to individuals in the EU, or they track their online behaviour through the use of cookies.
- Greater enforcement powers – currently, in the UK, the maximum fine for non-compliance is £500,000. However, under the GDPR, the maximum fine would increase substantially to up to 4% of annual worldwide turnover or €20,000,000 (whichever is the greater).
- New obligations for data processors – their contracts with data controllers would have to include certain obligations (eg to comply with security obligations, employ staff who have given confidentiality undertakings or process data in accordance with written instructions).
- Obligation to notify ICO of data security breaches within 72 hours – all data controllers would be required to do so unless the breaches are unlikely to result in a risk to the individuals concerned. They may also have to notify the individuals promptly as well.
- Individuals’ right to have personal data deleted promptly – this would apply in certain circumstances (eg where data is no longer necessary for the purpose collected or the individual withdraws consent).
Would this matter in post-Brexit UK?
In short, yes. The data protection minister stated after the referendum last year that if the UK were to remain in the single market, the EU data protection rules might apply fully. If not, EU rules might be replaced by national rules. Either way, the prevailing view is that the UK would still need to have an adequate level of data protection where it wishes to share data with EU member states or to handle data of EU citizens. While the UK may well be leaving the EU, the GDPR makes it clear that those businesses outside the EU who conduct activities within it may be subject to the new EU data protection regime.