EU General Data Protection Regulation
Background and current position
As you may already be aware, EU data protection is facing huge changes. Data protection is currently governed by The Data Protection Act 1998 (“DPA”), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) which fundamentally stem from the 1995 European Directive (95/46/EC), the aim being to protect individuals with regard to the processing of personal data. In 2012, the European Commission published a draft regulation (the General Data Protection Regulation (“GDPR”) and the final GDPR was published in April 2016 (“Regulation”). This Regulation will enforce stringent data protection laws on businesses.
We are now within the two year transition period during which organisations must implement changes to their businesses to ensure compliance with the Regulation. The aim of the Regulation was to harmonise the current position, which differs across each member state. The aim was to create legal certainty across all EU member states and to reduce the cost of compliance with the law on data protection.
Who does GDPR apply to?
The GDPR applies to ‘controllers’ and ‘processors’. The definitions of the two are similar to the definitions under the DPA, namely that the controllers are to state how and why personal data is processed and the processor acts on behalf of the controller. Therefore if you are currently subject to the DPA, it is likely you will also be subject to GDPR.
Increased Fines: under the DPA, the ICO can currently impose penalties of up to £500,000. The maximum fines for non-compliance under the GDPR will be increased to up to 20 million Euros or 4% of global turnover, whichever is higher.
Wider definition of personal data: the definition under the DPA is far narrower that the definition under the GDPR and now includes a broad range of identifiers including location data and an identification number.
Notification to ICO – the breach management deadline will be reduced therefore businesses will have an obligation to report any breach (e.g. the theft or loss of data) within just 72 hours. Businesses should be mindful that if for instance a breach occurs on a Friday morning they would need to be ready to report to the ICO first thing on Monday morning.
Can’t rely on consent: GDPR clamps down on relying on consent in relation to processing personal data. The exceptions to the rule remain, namely complying with legal obligations, performing a part of a contract or if it is proportionate processing for a legitimate business interest.
Easier to bring a claim: GDPR will make it more straightforward for individuals to make a claim for compensation against data controllers and data processors if they have suffered damage as a result of a breach of the GDPR.
Right to personal data – £10 fee is being scrapped: GDPR will increase the right for individuals to access their personal data and must be provided free of charge (currently a fee may be charge). The time limit for compliance is also being reduced from 40 days to one month.
Data Processing Agreements: Processors will only be able to process personal data on behalf of a controller if a written contract is in place which imposes a number of compulsory terms on the data processor, as set out in the GDPR. Data processing agreements must be GDPR compliant.
Sub-processors: Processers must not engage a sub-processor without the prior written authorisation of the controller.
Records: Processors must keep records of data processing activities and make the same available at the request.
Data protection policies are not a new concept – but is becoming increasingly more relevant.
So what should businesses be doing?
• Identify your third party processors as well as your business (e.g. payroll, health insurance, pensions).
• Some businesses may need to appoint a data protection officer – consider whether this applies to you.
• Consider the privacy implications at all stages of your process.
• Invest time and money into GDPR training and remember that such training is important at all levels of your organisation.
• Map and audit your data flows. You must know exactly what personal data you hold, how it was/is obtained, where it’s stored, where/how it is sent, how it’s processed and what you tell people about processing.
• Cross borders – Be mindful that different rules apply to different countries. It may be useful to create a thorough list in order to determine the best way to transfer data to different jurisdictions.
• Adapt your privacy policies to make individuals aware about their data rights (right to withdraw consent, right to access, right to object, right to be informed of retention periods, right to complain to ICO). Businesses need to reconsider their position and put together a detailed policy that complies with GDPR in order to reduce the risk of a fine.
• Be mindful of the UK leaving the EU – The lead regulator is the supervisory authority in the country where the controller or processor has its main establishment (e.g. ICO for the UK). When the UK formally leaves the EU, UK companies will need to consider nominating a main establishment within the EU therefore it will be important to consider which country that should be in line with your particular business. If you have operations in the EU, you will need to comply with the GDPR.
Brexit is no escape
You may well be thinking, if the GDPR is applicable to all Member States, and the UK will soon be leaving the EU formally, you don’t need to worry about the implications of GDPR. The reality is, firstly GDPR will be coming into force before the UK will officially have left the EU. Secondly, even once the UK has formally left the EU, an organisation based in the UK may still be caught by GDPR through carrying out activities in the EU which involve the processing of data. It is important to note that even the selling goods and services to clients in the EU will trigger GDPR compliance.
The GDPR will be coming into force on 25 May 2018 therefore the time to ensure that you will be compliant is now.