The EU General Data Protection Regulation (GDPR) will be directly applicable to all member states from 25 May 2018. Many of the GDPR’S requirements are much the same as those in the current Data Protection Act (DPA). However, there are new elements and enhancements that organisations need to be aware of.
A summary of some of the highlights within the GDPR is set out below together with useful links to relevant guidance on the Information Commissioner’s Office (ICO) website. Given the government’s intention to bring all EU legislation into UK law ahead of the UK’s exit from the European Union, we should assume that the GDPR’s measures will apply for the foreseeable future.
We will issue a Practice Note shortly.
The GDPR applies to all entities providing goods or services (irrespective of whether such good or services are free). Organisations will now be directly responsible for compliance with data protection regardless of whether they are EU or non-EU based.
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA. New rights include the right to have inaccuracies corrected, the right to prevent direct marketing and the right to have information erased.
The right to have information erased has attracted considerable attention and in effect enables an individual to request for their personal data to be removed and no longer processed by the data controller. Continued retention of such data would therefore only be permissible in circumstances where it was necessary e.g. for compliance purposes or where it is in the public interest to do so.
As is the case with the current DPA, the GDPR places an obligation on data controllers and data processors to have legitimate reasons for processing personal data. In circumstances where they rely on the consent of data subjects, organisations must be able to prove that the consent was unequivocal, informed and given for the purpose it was intended. Silence or pre-ticked boxes will therefore no longer amount to consent for the purposes of the new GDPR.
Data protection by design and by default are new concepts that are included in the GDPR. In essence it will now be mandatory for organisations, when designing new IT system for the processing of personal data, to ensure that data protection considerations are taken into account from the early stages of the design process (e.g. through Data Protection Impact Assessments).
See https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf for further informtation including on Data Protection Impact Assessments.
The GDPR introduces a new notification rule for personal data breaches. Under the rule all data security breaches will be required to be reported by data controllers to a supervisory authority within 72 hours. Failure to report breaches within this timeframe must be justified and in some cases, the data controller will be requird to notify the affected data subject(s)
Currently, the ICO can set a maximum penalty notice of £500,000 for serious breaches of the DPA. The GDPR has increased this amount quite significantly. For certain breaches of the GDPR, data controllers could receive a penalty of up to 40% of global annual turnover for the preceding year (for undertakings) or €20m.
Section 4 of the GDPR introduces a statutory role of Data Protection Officer (DPO). Most organisations who handle personal data will be required to appoint a DPO. This is particularly true for public authorities or those whos activities involve the regular monitoring of data subjects on a mass scale. The DPO will have a key role to play in ensuring compliance with the GDPR. The DPO can be an employee or contractor provided they possess the necessary knowlege and skills and have the ability to fulfil the responsibilities outlined in Article 37.
At present, there is no clear guidance on what type of organisation will be required to appoint a DPO. The CLC is therefore currently seeking further clarification and guidance from the ICO and will provide further information to the profession on this requirement in due course.
GDPR: 12 steps to take now https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Overview of the GDPR: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
Guidance: what to expect and when https://ico.org.uk/for-organisations/data-protection-reform/guidance-what-to-expect-and-when/