By Peter Stevens
The EU’s General Data Protection Regulation (GDPR) has been described as the biggest change to data protection law for a generation. However, it is an evolution rather than a revolution. Many of its principles are much the same as those in the Data Protection Act (DPA). Clients who already have an effective data governance programme for complying with the DPA are likely to be well on the way to being ready for GDPR. However, there are important new elements, and some things will need to be done differently.
Privacy by design and default are now express obligations. Privacy can no longer be an afterthought. The GDPR requires businesses to consider data protection issues when designing new products and services, or from the outset of a project.
It will not be sufficient to comply with the GDPR: businesses will need to be able to show compliance with the requirements on an ongoing and specific basis, tailored to their own circumstances. They will need to establish, implement and maintain internal policies, processes, procedures and measures which help them comply and have the means to carry out audits and training. There will be express obligations concerning record keeping, and the records will have to be produced to the Information Commissioner’s Office (ICO) on request.
Considerably stronger remedies and enforcement measures. Individuals can now claim damages for non-financial loss (e.g. distress) without first proving financial loss. The ICO will have extra powers to investigate, audit and make orders. The levels of fines will be substantially increased to a maximum of 4% of annual worldwide turnover or €20 million (whichever is greater).
Extended territorial reach. The GDPR will apply to data controllers and data processors who are established outside the EEA, who offer goods or services to data subjects who are in the EU, or monitor their behaviour taking place within the EEA, and process personal data relating to them in this connection, as well as to those established in the EEA or processing data with equipment located in the EEA.
Liabilities imposed on data processors as well as on data controllers and more prescriptive list of obligations to be included in contracts between them. This is a significant shift of liability.
Existing contracts will need to be reviewed before May 2018 to ensure they comply. Data controllers will need to carry out increased due diligence before contracting with their data processors, and the list of obligations which must be included in the contract is more prescriptive.
The definition of personal data is broadly unchanged, but has been tweaked to include RFID tags and online indicators such as IP addresses, location data and cookies. Sensitive personal data (called “special categories of data” under the GDPR) will now include genetic and biometric data.
Privacy notices will require much more detailed information, and must be readily accessible, written in clear, concise, and intelligible language. The data protection principles are largely unchanged, but transparency is more important.
Data controllers must conduct data protection impact assessments (DPIAs) before undertaking any processing, in particular using new technologies which is likely to result in a high risk to the rights and freedoms of individuals.
The GDPR creates some new rights for individuals and strengthens some of the rights that exist under the DPA. Where children are involved, some of the rights are stronger. If the privacy notice must inform data subjects of their rights, their consent will not be valid.
The data subjects’ right to restrict or object to processing is expanded, and the right to be forgotten in specified circumstances is set out expressly in the GDPR.
Faster and free response to subject access requests. Data controllers will no longer be able to charge a fee for dealing with subject access requests and the time for response has been reduced from 40 days to one month. In some cases, data subjects will have a new right to require the data controller to send them a copy of their data in a machine-readable format (e.g. CSV files), but is not expected to create new technical systems to deal with such requests.
New obligation to controllers report security breaches promptly to the ICO and where feasible within 72 hours of becoming aware of them.
Sometimes, need to appoint a Data Protection Officer (DPO). Public authorities or bodies, and any companies whose core activity entails regular and systematic collection of personal data on a large scale, carry out large scale systematic monitoring of individuals (such as online behaviour tracking) or large scale processing of special categories of data or data relating to criminal convictions and offences, must appoint a DPO. This is a high profile, specialist role with considerable responsibilities spelt out in the GDPR.
In order to establish new policies and procedures, and to prepare GDPR-compliant privacy notices, data controllers will need to know what data they hold, where they got it from, what they plan to do with it, to whom they might wish to disclose it and for how long they will need to keep it. Thus, the first step will be to carry out a detailed data protection audit. They will need to ensure staff handling personal data are properly trained, and their training is regularly updated.
The GDPR will have no direct effect in the UK after Brexit, but the Data Protection Bill currently going through Parliament will ensure that the GDPR continues to be mirrored in UK law.
If you would like assistance with getting your business ready for the GDPR, TWM’s Business Law team can help with your requirements.
For further information, please contact email@example.com
For further details about our expertise in this area, please Click Here