GDPR: are you ready?
Data is the key asset of most businesses. It should be adequately protected. The forthcoming GDPR means that data 'big bang' is imminent.
Data is the key asset of most businesses. It should be commercialised effectively and adequately protected. The forthcoming GDPR means that data 'big bang' is imminent. A recent ICO study stated that many businesses are still ill prepared, don't be one of them.
In December 2015, the Council of the European Union approved the draft wording of the General Data Protection Regulation (GDPR). The GDPR will govern the European data protection regime from 25 May 2018.
Whilst the UK's future relationship with the EU remains to be determined, the UK Government has confirmed that the GDPR will apply regardless. Notwithstanding our European position, the GDPR will apply to any data controller or processor which offers goods or services to, or monitors the behaviour of, data subjects in any EU member state. You should prepare for the advent of the GDPR now.
The current regime was introduced under the Data Protection Directive. This was implemented in the UK by the Data Protection Act 1998 (DPA). The change is due to numerous reasons, not least because the existing legislation is almost 20 years old and technological developments over this time have changed the manner in which we store and process data. Issues also arise under the current legislation because, as a Directive, it is implemented differently in each member state which has resulted in a myriad of approaches and legal uncertainty for consumers, data controllers and data processors. The GDPR will apply directly to all member states and the UK and will be enforced locally by relevant authorities (in the UK, the Office of the Information Commissioner) under the same regime.
The GDPR will result in many changes to the current regime including:
The conditions for consent have become stricter. There will be an obligation on Data Controllers to prove that individuals have consented to processing of their personal data and that such consent has been freely given and is specific, informed and unambiguous. Implied consent should no longer be considered.
The Data Controller should bear the burden of proof that consent was validly obtained. While consent cannot be conditional on consent to use of data that is unnecessary.
Coupled with the increased rights to withdraw consent, such strengthened rights mean that organisations should carefully review their existing data processing practices.
It may come as a surprise to many that, whilst the ICO has previously given guidance for security breach notifications, it is not currently compulsory to notify either the ICO or affected individuals of data breaches except in limited circumstances. Going forward, in many cases, organisations will be obliged to notify the ICO of all data breaches without undue delay and within 72 hours of becoming aware of the same if feasible. This will put strain both on organisations subject to breaches and the resources of the ICO.
Data protection officers
The GDPR will require certain organisations which control and process data to appoint a Data Protection Officer (“DPO”) who should be appropriately trained in data protection law and practice but not be in a position whereby the appointment as DPO may conflict with any other professional duties. It is likely that a DPO would need to separate this role from any internal function and will need representation at Board or Executive level in light of their obligations. A number of organisations will already have somebody appointed to this position, however, it will be necessary to consider how the scope of the role will alter with the advent of GDPR.
Data subject rights
Subject Access Requests and the right to object to processing of personal data will be familiar to most organisations which control data and these rights will continue. Additionally, there are new entitlements for individuals including:
- Right to Erasure - a right to request that personal data is erased and that the Data Controller refrains from any further dissemination (commonly referred to as the right to be forgotten);
- Data Portability - a right to obtain a copy of all personal data processed by electronic means in a structural and commonly used form which permits further use by an individual; and
- Right to Object to Profiling - a right not to be subjected to profiling that “significantly affects” a data subject. This will include most forms of automated online tracking and behavioural advertising.
Enforcement and remedies
Currently, fines under national law vary, and are comparatively low (for example, the ICO maximum fine is £500,000). The GDPR will significantly increase the maximum fine.
Maximum fines under the GDPR will range from €10 million (or 2% of annual global turnover) to €20 million or 4% of annual global turnover) depending upon the breach.
Any organisations that previously regarded non-compliance with the DPA as a low-risk issue should re-evaluate the position in light of the substantial new fines.
Top tips to ensure your organisation is compliant
- Review how your organisation collects and uses personal data, why it is collected and how regularly the relevance of the personal data is reviewed.
- Review commercial contracts for any matters which may involve collecting, using or outsourcing personal data.
- Review the organisation’s processes by third party audits and risk assessments.
- Implement a cyber liability and data security breach plan outlining responsibilities for notification and steps which can be taken to mitigate and manage risks in the event of a breach.
- Provide training: people are the biggest data risk to most organisations. Ensure that training is delivered to all employees, contractors, agency workers and anyone else deployed on your premises and with access to personal data, to ensure that security policies are adhered to.
- Prepare early for the GDPR – we can help!