The Government has confirmed that it will implement the EU General Data Protection Regulation (Regulation), which will come into force on 25 May 2018. Organisations must start taking steps towards compliance now to meet the higher data protection standards contained within the Regulation.
What about “Brexit”?
While the result of the EU referendum in June this year determined that the UK would leave its membership of the EU, it was expected that the UK would nevertheless implement the Regulation, mainly for two reasons.
First, the UK Data Protection Act 1998 (DPA) is based on an EU Directive dating back to 1995 from an era when public Internet access was not widely available and data collection and processing methods were far less sophisticated than they are today.
Secondly, the Regulation contains strict controls on the transfer of personal data to countries outside the EU that do not provide adequate data protection standards. The concern was that the DPA would be regarded as providing an inadequate level of data protection compared to the higher Regulation standards, disrupting commercially valuable data flows between the EU and the UK.
The Government did not explicitly rely on either of these reasons when confirming its intention to give effect to the Regulation in UK law, electing instead to note that the UK will still be an EU member state in 2018 and that “it would be expected and quite normal…to opt in to the [Regulation]”. In fact, as an EU member state until at least 2019, the UK would be legally bound to give effect to the Regulation in UK law.
What are the changes introduced by the Regulation?
Some of the changes include:
broader definition of personal data: more data will be protected than is the case under the DPA, and individuals will have access to more personal data on request;
higher standard of consent: consent in data protection law will need to be freely given, specific and informed and consist of unambiguous, clear and affirmative actions by individuals;
accountability principle: this will replace ICO registration and will require organisations to keep audit trails, carry out data protection impact assessments of new measures and high risk data processing activities and (in some cases) appoint a data protection officer;
transparency principle: organisations will need to provide more information to individuals at the point of data collection, including data retention periods and details of rights;
right to be “forgotten”: individuals will be entitled to require organisations to erase all personal data that they hold on them where there is no justification for holding it;
right to data portability: individuals will be entitled to require organisations to provide them or another organisation with their personal data in commonly used file formats to allow for the easy transfer of their personal data from one organisation to another;
right of access: organisations will only have a month to respond to personal data access requests, a shorter time limit than the DPA’s 40 calendar days, and personal data must be provided free of charge;
data security breach notification: organisations will need to notify certain data security breaches to the ICO and, in some cases, affected individuals within 72 hours of becoming aware of them;
data protection officers: some organisations will need to appoint a data protection officer with responsibility for advising and training their staff on the Regulation, monitoring compliance with the Regulation and acting as the first point of contact for the ICO and individuals; and
penalties: organisations that do not comply with the Regulation could be subject to a fine of up to €20m or 4% of their global turnover, whichever is higher.
What should we do now?
May 2018 might seem a long time away but organisations have less than 18 months until the Regulation comes into force.
Now is the time to take these preparatory steps:
undertake an audit to identify any shortcomings in DPA compliance and rectify them to ensure 100% compliance. If your organisation does not comply with the DPA now, then it will be difficult to meet the higher standards of the Regulation;
deliver staff training on the Regulation, how it differs from the DPA and the impact that it will have on staff roles and how they engage with your suppliers, customers and service users;
review your organisation’s existing forms, business correspondence, website and data protection statements and update them to comply with the Regulation;
establish a framework to make your organisation more accountable on data protection compliance by, for example, maintaining audit trails;
consider how your organisation deals with parental consent when handling children’s personal data and implement any changes required by the Regulation;
appoint a data protection officer (if required) to assume responsibility for data protection compliance;
adopt higher data security standards to reduce the incidence of data security breaches;
implement a data security breach management policy, detailing how your organisation will investigate and respond to breaches; and
understand the new individual rights and be prepared for individuals to exercise them by putting in place appropriate policies and procedures.