A major milestone in EU data protection law was marked when the General Data Protection Regulation came into force just before the EU Referendum. A huge piece of legislation that was set to replace the UK’s Data Protection Act 1998 from May 2018, it marks a tough new era in EU-wide data protection, with new powers for data regulators and much stricter operating boundaries for businesses that process personally identifiable information about individuals.
But for UK companies imagining that Brexit will have changed the need for them to comply, there’s a warning that they ignore the new requirements at their peril, as they’re likely to find that they have to comply with the Regulation, or a UK version in a very similar form. Getting the upgraded systems and processes in place will take time, and they risk otherwise missing out on future trading.
The over-arching aim of the new Regulation is to harmonise data protection across all EU member states, and being an EU Regulation, rather than a Directive, it becomes law without the need for any national legislation in the 28 individual EU countries. It should make it simpler for everyone, including non-European companies, to comply with data protection, but it comes at a cost, with greater responsibilities for data processors and with severe penalties of up to 4% of worldwide turnover for non-compliance.
The biggest change is that the Directive applies to any business processing personally identifiable information about EU citizens, not just to businesses based within the EU. This means that any UK business that is trading with EU citizens will be affected, as will anyone who transfers personal data from the EU to the UK, for processing or storage.
And it’s expected that any new legislation brought in by the UK Government will be equally tough. According to the Information Commissioner’s Office – the UK’s regulator – the GDPR is still relevant for the UK, saying “the underlying reality on which the policy is based has not changed”.
The situation may be further complicated during the transition process, as until the UK has data protection laws which the European Commission recognise with a formal adequacy decision, companies that move personal data from the EU to the UK would need to implement some other mechanism, such as standard contract clauses approved by the Commission.
It means that UK businesses, whatever their size, who trade in the EU, or want to be able to transfer personal data in from the EU, should be looking to adopt GDPR as a minimum standard.
For any trading relationship between the UK and the EU, our data protection law will need to be broadly equivalent. If we were to stick with the current 1998 Act, we could expect other countries to view our regime as providing insufficient protection.
The main provisions of the GDPR include:
Consent – Currently, much data is collected on the basis that individuals will choose if they wish to opt out. In future, an individual will have to make a positive action that demonstrates their consent, in order for their data to be collected. The consent can be withdrawn at any time, as individuals have ‘the right to be forgotten’ and can also transfer their data elsewhere if they choose.
There will also need to be separate consent for the processing of data for a new purpose, beyond that for which it was originally collected.
Transparency – More information will have to be provided by the processor from the outset about how data will be used and how long it will be kept for, as organisations must not hold on to data for any longer than absolutely necessary.
If it’s going to be stored outside the EEA, details must be provided of where it will be stored and what safeguards will be in place.
Accountability – There is a shift from risk management to compliance so in future, organisations will have to be able to show that they are actively complying with the GDPR, not just identifying risks or responding to breaches as they occur.
They will also have to demonstrate that privacy is considered at every stage of their operations.
Specialists – A specialist Data Protection Officer will be an obligatory appointment for most public bodies and for any organisation controlling or processing data where core activities involve “regular and systematic monitoring” of data subjects “on a large scale”.
For an organisation that sub contracts its processing, there is a high duty of care imposed in selecting their data processing provider with procurement processes to be followed and regular ongoing reviews once appointed.
Breaches – Currently some breaches may be managed internally without reporting, but in future there will be a statutory obligation to notify the regulator – the ICO in the UK – and the individuals affected, if there is any risk to an individual’s personally identifiable information as a result of any breach.
Fines will be imposed for breaches, up to a maximum of €20m, or 4% of total worldwide turnover for businesses, for serious contraventions.
Children – No one under 13 can give their consent to the processing of personal data in relation to online services, and so parental consent must be obtained.
Member States are free to set their own rules for those aged 13-15, if they do not, then parental consent will be required for children under 16.