A major milestone in EU data protection law was marked when the General Data Protection Regulation (GDPR) came into force just before the UK’s referendum on membership of the EU. A huge piece of legislation that was set to replace the UK’s 1998 Data Protection Act from May 2018, it marks a tough new era in EU-wide data protection, with new powers for data regulators and much stricter operating boundaries for businesses that process personally identifiable information about individuals.
UK businesses imagining that leaving the EU will have changed the need for them to comply with GDPR should be warned that they ignore the new requirements at their peril, as they are likely to find that they have to comply with the new regulation in any event, or a UK version in a very similar form. Ensuring that systems are upgraded and proper processes are in place will take time and if they fail to prepare, those businesses risk otherwise missing out on trade opportunities.
The over-arching aim of the GDPR is to harmonise data protection across all EU member states. As an EU regulation, rather than a directive, it becomes law in all 28 individual EU member states without the need for any national legislation. It should make it simpler for everyone, including non-European companies, to comply with data protection requirements. However, it comes at a cost, with greater responsibilities for data processors and breaches and non-compliance carry severe penalties of up to 4 per cent of worldwide turnover.
The biggest change is that the GDPR applies to any business processing personally identifiable information in respect of EU citizens, not just to businesses based within the EU. This means that any UK business trading with EU citizens will be affected, as will anyone who transfers personal data for processing or storage from the EU to the UK.
It is anticipated that any new alternative legislation brought in by the UK Government will be just as tough as the EU regulation. According to the Information Commissioner’s Office – the UK data protection regulator – the GDPR will still be relevant for the UK because “the underlying reality on which the policy is based has not changed”. The issue may be further complicated during the transition process, as until the UK has in place data protection legislation which the European Commission recognises with a formal “adequacy decision”, businesses that transfer personal data from the EU to the UK would need to implement some other mechanism, such as standard contract clauses that are approved by the European Commission.
The consequence is that UK businesses wishing to trade in the EU, or to transfer personal data from the EU, should be looking to adopt the General Data Protection Regulation as a minimum standard, regardless of the size of their business.
For any future trading relationship between the UK and the EU, our data protection law will need to be broadly equivalent. If the UK were to stick with the current Data Protection Act 1998, other countries would view the UK regime as providing insufficient protection.
GDPR Summary
The main provisions of the GDPR include:
Consent – currently, much data is collected on the basis that individuals can choose if they wish to opt out. In future, an individual will have to make a positive action that demonstrates consent for their data to be collected. That consent can be withdrawn at any time, as individuals have “the right to be forgotten”. They can also elect to transfer their data elsewhere. There will also need to be separate consent for processing data for a new purpose beyond that for which it was originally collected.
Transparency – more information will have to be provided by the processor from the outset about how data will be used and for how long it will be kept. Organisations must not retain data any longer than is absolutely necessary. If personal data is going to be stored outside the European Economic Area, details must be provided of where it will be stored and what safeguards will be in place.
Accountability – a shift in emphasis from risk management to compliance will mean that organisations will have to be able to show they are actively complying with the GDPR, not just identifying risks or responding to breaches as they occur. They will also have to demonstrate that privacy is considered at every stage of their operations.
Specialists – A specialist Data Protection Officer will be an obligatory appointment for most public bodies and for any organisation controlling or processing data where core activities involve “regular and systematic monitoring” of data subjects “on a large scale”. For an organisation that sub-contracts its processing, there is a high duty of care imposed in selecting its data processing provider, with procurement processes to be followed and regular reviews once an appointment is made.
Breaches – currently some breaches can be managed internally, without the need to report, but in future there will be a statutory obligation to notify the regulator – the ICO in the UK – and the individuals affected, if there is any risk to an individual’s personally identifiable information as a result of any breach. Fines can be imposed for breaches, up to a maximum of €20 million, or 4 per cent of total worldwide turnover for businesses, for serious contraventions.
Children – No one under 13 can give consent to the processing of personal data in relation to online services, so parental consent must be obtained. Member states are free to set their own rules for those aged 13 to 15. If they do not set rules, then parental consent will be required for children under 16.