Amid the flurry of emails which everyone suffered around 25 May 2018, or “GDPR day” as it became known, it may have escaped your attention that the Data Protection Act 2018 received royal assent on 23 May 2018. The Data Protection Act 2018 (the 2018 Act) essentially enacts GDPR into UK law. It means, for example, that following Brexit, UK law will continue to comply with European law in respect of data protection issues.
The 2018 Act replaces entirely the Data Protection Act 1998, which was the previous applicable statute dealing with data security, and which came into force before the internet became as widely used as it is today and before most “social media” platforms were even devised.
In the words of Elizabeth Denham, the Information Commissioner, the “new laws provide tools and new rights to enable people to take back control of their personal data. The legislation requires increased transparency and accountability from organisations, and stronger rules to protect against theft and loss of data with serious sanctions and fines for those that deliberately or negligently misuse data.”
One of the major changes is the change to the definition of what constitutes “consent” where that is the legal basis for processing personal data. “Consent” as a legal basis for processing data can now only be relied upon by organisations which can demonstrate that the data subject has consented to the processing of their data by taking an unambiguous, freely given, informed, affirmative action to signify their consent. This means consent can no longer be assumed or implied by a data subject’s actions – there has to be an active opt-in.
Consent is just one of the legal bases on which personal data can justifiably be processed by an organisation. In addition for example, an organisation can rely on data processing being required where it is in its legitimate interests or where it is necessary in order to perform a contract or where it is necessary in order to comply with a legal obligation. Most processing of employee data may be justified by one of these reasons, rather than the consent of the employee, which cannot be “freely given”, because the employer is deemed to be in a position of power over the employee.
The new laws include improved rights for consumers including rights of access to data, to have data corrected, to erasure, portability, to object to or restrict processing, and the right to restrict automated decision making. It is now illegal to process the personal data of children (those under the age of 13), without obtaining their parent’s consent. This was an aspect where the 2018 Act varied the default GDPR position.
As that flurry of emails before 25 May will have told you, GDPR has caused a degree of concern among business owners and others grappling with how the new laws affect them and what they need to do to comply.
One question that remains to be answered is what approach will the Information Commissioner’s Office (“ICO”) take to enforcement? The new laws certainly contain hugely enhanced powers for the ICO to fine organisations – up to 4% of global turnover or €20 million, whichever is the higher. The maximum fine under the 1998 Act was £500,000.