New data protection laws will be in place from 25th May 2018, with the General Data Protection Regulations (GDPR) coming into law in the UK.
GDPR will apply to any organisation, regardless of whether that organisation is located inside the EU – the determining factor will be whether that organisation handles EU citizens’ data. GDPR will apply to the UK despite our decision to leave the EU and introduces some fundamental changes to the regulation of personal data.
The terminology in the GDPR is broadly the same as under the existing Data Protection Act 1998 e.g. ‘personal data’, ‘processing’, data subject’ etc. The first step in understanding the GDPR is to make yourself familiar with these key terms:-
- ‘Data Controller’ means a person/organisation who (either alone or jointly) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
- ‘Data Processor’ means a person/organisation (other than an employee of the data controller) which processes personal data on behalf of a data controller.
- ‘Data Subject’ means the identified or identifiable living individual to whom personal data relates.
- ‘Personal Data’ means any information relating to an identified or identifiable living individual. This extended definition under the GDPR means that, for the first time, online identifier’s such as an IP address can constitute personal data.
- ‘Processing’ means an operation or set of operations which is performed on personal data, or on sets of personal data, including but not limited to the collection, recording, organisation, storage, alteration or transmission of personal data.
What are the aims of GDPR?
The current Data Protection Act 1998 is evidently outdated. The Act was drafted at a time when the internet was still in its infancy, social media was not the all-consuming mammoth it is now and iPhones were not the only means by which most people interacted with one another
As such, GDPR can rightly be seen as a response to the exponential growth in the communication of personal data, requiring a stronger and more coherent framework. Indeed, the EU Directive which culminated in the UK introducing the Data Protection 1998 only required EU member states to enact their own legislation based upon the EU’s recommendations. In contracts, the GDPR is a regulation, meaning it will not any require further action from member states and will become immediately enforceable upon its introduction. GDPR will supersede all existing data privacy and protection laws currently upheld by members of the EU with the intention of harmonising data protection rules throughout all 28 member states.
What changes does GDPR bring about and why should I be concerned?
The introduction of GDPR will change the dynamic of the data protection landscape, with the most important changes being:-
- Enhanced right of erasure – data subjects will be able to request that their personal data is deleted where it is no longer necessary, the employer has no other ground for processing or the data subject objects to processing or there is no compelling grounds that overrides their interest. However, in certain circumstances data subjects can be denied this right. In short, data controllers can deny requests if the data being processed is exercising the right of freedom of expression and information or to comply with a legal obligation for the performance of a public interest task. At present, a data subject right ‘to be forgotten’ can only be exercised where the personal data in question is causing unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. Data subjects also have a right of rectification
- Increased notice obligations – data processors (e.g. employers) will need to review and update privacy notice so as to ensure that they meet the GDPR’s expanded definition of personal data, set out the personal data they hold relating to them and explain how data subjects can expect their personal data to be used and for what purposes. Furthermore, the notice should explain to the data subject the lawful basis for collecting personal data, the period of time they intend to hold the data and provide details of the data subject’s right to complain to the Information Commissioners Office (ICO) if they believe their data is being processed illegitimately.
- Consent - GDPR revises the general consent definition to require a "freely given, specific, informed and unambiguous" indication of the data subject's wishes. Consent must be documented and therefore records kept so as to demonstrate when and how a data subject provided their consent. Data subjects will also be given continuous choice and control over how their data is used. Consent can no longer assumed or obtained via pre-ticked boxes. Importantly, data subjects must be able to withdraw their consent as straightforward and conveniently as it was to give it, at any time.
For that reason, organisations will need to review the way in which they have acquired consent. If existing consent has been established illegitimately and lacks the GDPR standard then organisations will need to refresh consent. For example, sending an email to active data subjects explaining if they still wish to receive emails from the organisation they will need to give their consent again, such email setting out specifically the purposes for which personal data will be used. Organisations would wish to avoid the tactics employed by both Honda and Flybe, who used historical data to distribute service messages to active and inactive users asking them to opt in. They were fined £83k in total by the ICO and serve as a useful reminder that organisations can still fall foul of data protection laws even where, such as here, an attempt to act in accordance with data protection law ultimately resulted in them breaking them.
Subject Access Requests - The current fee of £10 will no longer be chargeable and the current 40 day turnaround time is removed and replaced with an obligations to comply “without undue delay” and at the latest within one month of the request.
Data Breaches - Organisations must ensure they have the right procedure in place in regards to any data breach, whether potential or substantial and the steps to take in order to remain compliant with GDPR. Under GDPR data breaches must be reported to the ICO within 72 hours of the breach. At present there is no express obligation to report breaches.
Giving more control to individuals - Organisations need to ensure all procedures are in agreement with those rights. For example, data subjects will have the right to obtain confirmation from the controller (organisation) as to whether or not personal data concerning them is being processed and for what purpose.
Increased non-compliance risk - All organisations who process personal data must comply with the GDPR before its introduction in May. Organisations who fail to make the requisite transition could face fines from regulators of up to €20m (£17.7m) or 4% of their global turnover for the most negligent of offenders. The current limit under the Data Protection Act 1998 is £500k. This increased risk can most clearly be seen by reference to a recent case involving TalkTalk. In 2016, TalkTalk received a record £400k fined for security failings which led to the theft of personal data of almost 157,000 costumers. Under the GDPR this fine would have been astonishing £72m….a 18,000% increase. Such stark figures serve as just one example of the needs for business to get GDPR compliant sooner rather than later. A further point worth considering is the fact that the ICO is not government funded. As such, some commentators have suggested that as a result it has a greater incentive to fine the higher amounts where applicable and ICO fines can be expected to become more regular from May 2018 onwards.