Data protection law has recently been updated by Europe and will be in place in less than two years. Despite the Brexit vote, businesses and organisations need to note the numerous changes as the penalties for breaches will be severe and adjusting to the new rules will take time.
The European Union’s General Data Protection Regulation (GDPR) was finalised at the end of April 2016 after four years of discussion, disagreement and negotiation and will directly affect all member states of the EU from May 2018.
Firms have a choice. They can either take the GDPR seriously and use it as an opportunity to review their approach to data protection or they can hope it goes away – which it won’t.
But a question arises: Now that we’re scheduled to leave the EU will the GDPR still matter? The answer is yes – it will. This is because we will still be an EU member state when the legislation comes in but also, when we leave the EU it will be in the UK’s interest to have something equivalent to the GDPR for trading reasons. This is because the GDPR’s obligations will bite on any company that processes personal data of an EU resident.
TAKE THE LAW SERIOUSLY
The GDPR is not a monster but it needs to be taken seriously. This is because changes will be required, if the required changes are not made then companies risk considerable fines and reputational damage. Indeed, under the GDPR, those organisations that breach the law could face a fine of up to 4 per cent of annual worldwide turnover or €20m (whichever is the greater).
The GDPR is not a monster but it needs to be taken seriously because if the required changes aren’t made, companies risk very high fines.
This is markedly higher than the £500,000 that the Information Commissioner can levy now.
The changes required to comply with the GDPR cannot be made unless a business understands how it deals with data protection now. Therefore, the GDPR should act as a catalyst for an immediate review of good data protection practice.
THE CURRENT REGIME
The present data protection regime, under the Data Protection Act 1998 (DPA), protects a person’s rights in respect of their personal data and is built upon eight data protection principles. These are all common sense and require that personal data is:
- Processed fairly and lawfully
- Obtained and used for specified and lawful purposes only
- Adequate, relevant and not excessive in relation to their purposes
- Accurate and up-to-date
- Not kept for longer than is necessary
- Processed in accordance with the individual’s rights
- Kept secure
- Not transferred outside of the EEA without adequate protection
Apart from these there are other critical points to note about the present regime.
The first is that there are extra obligations when handling sensitive personal data such as information about ethnic origin, sexual life, trade union membership etc. Further, individuals have a right via a Subject Access Request (SAR) to find out what information is held about them (there are exceptions).
It’s also worth noting that if a company fails to answer its obligations under the DPA then they can be fined up to £500,000 by the Information Commissioner – and fines are being levied. The majority are imposed because of security breaches and usually the security breach is a consequence of a failure to take data protection seriously.
There is an increased emphasis and awareness of the importance of data protection. Organisations that fail to give this high priority now may be caught out.
Decision makers should know what is coming over the hill. This will give their firm time to get ready – the GDPR should act as a catalyst for a review of current data protection practices. Those that leave the critical preparation until the last minute could find that there is a real danger that they won’t be compliant in time.
A useful starting point is to review what personal data is held, why it is held, where it was obtained, what privacy notices exist and who and why personal data is shared with. Under GDPR, firms that discover that they have shared inaccurate personal data are required to inform the organisation with whom they shared it of the inaccuracy. But this can’t be done unless they know what data is held in the first place.
It’s very important that organisations review any data protection policies they have and consider what, how and who keeps policies up to date. The GDPR requires “data protection by design” and operates on an “accountability principle” which will require firms to show how they comply by, for example, having effective policies and procedures.
RIGHTS OF THE INDIVIDUAL
Individuals need to know what is going to be done with their data, and who it is going to be shared with. A privacy notice tells people about this and is often found on a company’s website or is indicated to an individual when their personal data is collected such as during the order process.
Under the GDPR there is additional information which must be provided. Firms will need to tell data subjects – users – the legal basis for processing their data, the data retention period, and of their right to complain to the Information Commissioner. There is also a requirement that the privacy notice is concise, easy to understand and in clear language.
Under the GDPR individuals still have the right to know what information is held about them but they will also have rights to have inaccuracies corrected, to have information erased, to prevent direct marketing and a right to data portability (because of this firms will have to provide data electronically). These rights are enhancements to existing DPA rights. If a firm is compliant with the DPA then they should not face any great difficulties. Now is a good time to test an organisation’s compliance with the DPA and the new requirements. They should test how able they are to locate and delete data as well as who in the organisation would take these critical decisions. The bottom line here is that firms must have procedures in place to take individuals’ rights seriously.
Presently, firms have 40 days to respond to a subject access request but under the GDPR this will drop down to a month. There are also some changes to the grounds for refusing a SAR (including that the need behind the request is manifestly unfounded). Refusing a request will require a firm to have appropriate policies and procedures in place. There will also be obligations to provide additional information such as data retention periods and the right to have inaccurate data corrected. These additional requirements could cause considerable logistical problems if an organisation handles a significant volume of SARs.
CONSENT FOR DATA PROCESSING
One of the most challenging areas under the DPA is that of “consent”. Consent to use personal data cannot be inferred from silence, pre-ticked boxes or inactivity. The GDPR requires that consent must be freely given, specific, informed and unambiguous. If a firm is going to rely upon “implicit consent” then it must be ready to deal with a challenge as to how unambiguous the consent was. It may be that consent can be properly inferred but the need to be ready for a challenge is important. Clearly firms need to review how they obtain consent and consider whether it meets the exacting standards of the GDPR.
Further, if an organisation collects information about children (in the UK this will probably be those under 13) then it will need a parent’s or guardian’s consent. This will need to be verifiable, and, of course, the language used in the privacy notice must be capable of being understood by children.
There is presently no general obligation to report any data breaches (although it may be tactically worthwhile to do so). The GDPR radically changes this and creates an obligation to report data protection breaches which could cause an individual harm within 72 hours. Firms should consider how they would deal with this new obligation. They should be asking: How secure are their systems? What training do staff have? Is personal data encrypted? What breaches might result in an obligation to report? How would the harm to individuals be mitigated? Do the procedures in place around data breaches allow these obligations to be met?
We’ve seen that there are certain key expressions in the GDPR such as “Data Protection by Design”, “the Accountability Principle”, “Privacy by Design” and “Data Minimisation”. But there is one particularly important expression which brings with it a specific obligation – “Privacy Impact Assessments” (PIAs). These are required where there is a significant change in the processing of data and in particular where there is a risk to data subjects, that is, individuals.
It makes sense for any business affected by Data Protection to designate a capable, interested person to take responsibility. Andrew Gallie, Wasborough Vizards.
While it is mainly public bodies that need to appoint a Data Protection Officer under the GDPR, it also makes real sense for any business or organisation affected by data protection to ensure that it complies with the DPA and GDPR. By definition the best way of doing this is to designate a capable, interested person with the responsibility for ensuring that the obligations are met.
DON’T IGNORE IT!
So to conclude, the GDPR is a real and present threat to firms and organisations of all sizes and the financial consequences for ignoring the new rules are severe. However, those that plan ahead and who choose to follow their obligations should have little to worry about.
Andrew Gallie is a senior associate at Veale Wasbrough Vizards specialising in information and data protection law.