The Government has confirmed that it will implement the EU General Data Protection Regulation (Regulation), which will come into force on 25 May 2018. Organisations must start taking steps towards compliance now to meet the higher data protection standards contained within the Regulation.
What about “Brexit”?
While the result of the EU referendum in June this year determined that the UK would leave its membership of the EU, it was expected that the UK would nevertheless implement the Regulation, mainly for two reasons.
First, the UK Data Protection Act 1998 (DPA) is based on an EU Directive dating back to 1995 from an era when public Internet access was not widely available and data collection and processing methods were far less sophisticated than they are today.
Secondly, the Regulation contains strict controls on the transfer of personal data to countries outside the EU that do not provide adequate data protection standards. The concern was that the DPA would be regarded as providing an inadequate level of data protection compared to the higher Regulation standards, disrupting commercially valuable data flows between the EU and the UK.
The Government did not explicitly rely on either of these reasons when confirming its intention to give effect to the Regulation in UK law, electing instead to note that the UK will still be an EU member state in 2018 and that “it would be expected and quite normal…to opt in to the [Regulation]”. In fact, as an EU member state until at least 2019, the UK would be legally bound to give effect to the Regulation in UK law.
What are the changes introduced by the Regulation?
Some of the changes include:
broader definition of personal data: more data will be protected than is the case under the DPA, and individuals will have access to more personal data on request;
higher standard of consent: consent in data protection law will need to be freely given, specific and informed and consist of unambiguous, clear and affirmative actions by individuals;
accountability principle: this will replace ICO registration and will require organisations to keep audit trails, carry out data protection impact assessments of new measures and high risk data processing activities and (in some cases) appoint a data protection officer;
transparency principle: organisations will need to provide more information to individuals at the point of data collection, including data retention periods and details of rights;
right to be “forgotten”: individuals will be entitled to require organisations to erase all personal data that they hold on them where there is no justification for holding it;
right to data port