Data Protection Law is changing : Be ready
Our current data protection laws are based on a European directive introduced in 1995 and quite a lot has changed since then.
So, in May 2018 new legislation will be adopted to reflect the EU General Data Protection Regulation (GDPR), which endeavours to reflect the significant advances in information technology and fundamental changes in the ways in which we now communicate and share information. The new rules are designed to be more future-proof and try not to describe any particular technology.
Some concepts will be largely unchanged, for example, personal data, data controllers and data processors will be broadly similar. However, some concepts and approaches will be new.
Here are a few of the key changes:
- Territorial scope: non-EU data controllers and data processors may be subject to the GDPR (depending on what they do and where they do it);
- Enforcement powers: the current maximum fine for a data protection breach is £500k which, for some, has been considered low risk. However, under the GDPR fines will be up to 4% of worldwide turnover or €20m (whichever is higher) depending on the nature of the breach;
- Consent: the GDPR will require a very high standard of consent (significantly higher than the current standard). You will no longer be able to rely on implied consent. Instead, you will need to demonstrate that a data subject gave consent by “clear affirmative action establishing a freely given, specific, informed and unambiguous agreement.” Where data processing has multiple purposes, the data subject should give their consent to each purpose. The burden is on you to prove that consent was obtained, and you must ensure that consent can be withdrawn at any time (and it must be as easy to withdraw consent as it was to give it);
- Registration: you will need to maintain detailed documentation recording processing activities and the GDPR specifies what information this record must contain;
- Data processors: the GDPR will introduce direct compliance obligations for data processors. Under the current system, data processors generally are not subject to fines or penalties but the GDPR will introduce the same fines on data processors as for data controllers;
- Notification: you will need to notify the ICO of all data breaches “without undue delay” and within 72 hours where feasible;
- Binding Corporate Rules: these are agreements used to lawfully transfer data outside the EEA. The GDPR tries to make the use of BCRs easier, but you may be aware of the Schrems case (declaring the Commission’s Decision on EU-US Safe Harbour invalid) and subsequent challenges made by Digital Rights Ireland (and others) which has cast doubt on this;
- Right to be forgotten: individuals will have the right to request that you delete their personal data in certain circumstances. Following the Google Spain decision, some will already be doing this but for everyone else this will need to be properly considered and addressed.
The new rules are designed to increase harmonisation across the EU while, at the same time, addressing new developments in the way we communicate and share data.
As a result, businesses are likely to face fewer variations across Europe in compliance requirements (although variations will still occur, for example, in relation to national security, journalism, freedom of speech and employment laws).
The Government’s position on this in light of Brexit is that whatever negotiations take place we shall want to be assessed as providing an adequate level of data protection and so we are highly likely to follow Europe’s lead under the GDPR as a minimum for some time.
Many will find that they require re-designs to systems that process personal data, and, if you use data processors, you may need to re-negotiate your contracts. This may take time and will require planning, so it would be wise to at least start the process of investigating how the new rules will affect you.