Despite Brexit, the UK Government has indicated that it will implement the EU’s General Data Protection Regulation (GDPR) which will apply from 25 May 2018. Even if it had decided not to, companies dealing with data relating to EU citizens would still be required to comply because the GDPR will affect not only organisations operating within the EU but also those outside that offer good and services to individuals within the EU.
The first EU Data Protection Directive was written in 1995 but this new stronger regulation will take into account vast technology changes of the last 20 years.
Failure to comply with the new GDPR may expose businesses to a fine of up to the greater of €20 million or 4% of annual revenue. With this in mind, businesses should begin to make any and all internal organizational changes necessary to ensure compliance.
Things to Keep in Mind
Remember this is a regulation, NOT a directive
Whilst these two are often used interchangeably they are very different. A directive will be implemented and enforced by individual countries, whereas a regulation becomes law without change when they are passed.
The Regulation will have Global Ramifications
The new regulation affects every global organisation that has data on EU citizens and residents. The ‘naming and shaming’ policies contained within are likely to bring harmony where data breaches are concerned. At present in the UK the Information Commissioner’s Office issues a press release when organisations are sanctioned, whilst other countries can be a bit of light touch.
Users will be able to make compensation claims
The regulation will allow users to claim damages when there are data losses as a result of unlawful processing. They will also be able to seek collective redress (an equivalent of US-style class action lawsuits).
Users can demand that their data is erased
In the new regulation users will be able to demand that their data is erased. This raises a whole number of questions as to how your business will be able to do this quickly and efficiently
Things to do
Assess whether the GDPR will apply to you The new law will apply to both EU and non-EU data controllers and data processors who either (1) offer goods or services to data subjects in the EU or (2) monitor data subjects’ behaviour insofar as their behaviour takes place within the EU.
Appoint a Data Protection Officer (or similar). Certain companies will be obligated to appoint a Data Protection Officer (“DPO”) to discharge the entity’s responsibilities under the GDPR. Companies that are not so obligated will nevertheless need to ensure that someone within the organisation is responsible for achieving the same objective.
Conduct a risk assessment. Businesses need to assess the degree of risk that their data processing has on data subjects. The Information Commissioner’s Office (“ICO”) recommends that, amongst other things, businesses create and maintain a record of the personal data they hold including details of where it came from, how it they are processing it, and the legal basis for such processing.
Update your privacy notices. Before collecting personal data, businesses will need to provide data subjects with more information than was previously required; including the details of the DPO, the legal basis for processing the data, data retention periods, the individual’s right to complain to the Data Protection Authority if they take issue with the way their data is handled, data transfers to other countries, etc.
Ensure that you have been and are continuing to collect the appropriate consents from data subjects to process their data. Under the current law, a data subject must give “consent” to the processing of their regular personal data and “explicit consent” to the processing of their sensitive2 personal data. Under the GDPR, both types of consent must also be shown to be freely given, specific, informed and unambiguous. Consent must also be revocable, i.e. the data subject must at any time be able to withdraw their consent.
Ensure that all of your policies, procedures and processes protect the new rights of data subjects. The rights of data subjects are set to be expanded under the GDPR: individuals will now in certain circumstances have (1) the right to request that businesses delete their personal data, (2) the right to receive within 1 month a copy of the personal data held by businesses in a commonly used and machine-readable format, and (3) the right to transmit those data to another controller.
Review your procedure for dealing with data breaches. Businesses must ensure that their response procedure in the event of a data breach are aligned with the new “breach duty notification” which in some circumstances will require businesses to notify the relevant Data Protection Authority of a data breach within 72 hours.