We are in the midst of the most significant reform of data protection laws in over 15 years. Our social, retail and business habits have created a world in which data is key to business activity and the law is now racing to keep up.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
Key changes under the GDPR will affect almost all businesses. The rights of EU citizens to control their personal details will be enhanced and new unified obligations will be placed on those dealing with personal data. During the transition, all businesses need to assess what they need to do to comply with the new rules.
Current data protection legislation (the Data Protection Act 1998 in the UK) is based on the Data Protection Directive of 1995 (the 1995 Directive) which sets out key legal principles for dealing with personal data. For the past 15 to 20 years these principles have been adopted in national legislation throughout the EU Member States in different ways resulting in a disjointed approach to data protection in Europe. The GDPR will replace the 1995 Directive and will be directly applicable in every EU Member State. This will provide a single set of rules and avoid contradictory approaches across the EU.
What will the EU General Data Protection Regulation (GDPR) mean for businesses?
New obligations for Data Processors
At present, legislative obligations rest with data controllers who are responsible for the actions of their data processors. Under the GDPR both data controllers and data processors can be responsible for data protection compliance. This means not only the owners of personal data will be responsible for meeting the requirements of the GDPR, but those holding or using that data (such as external marketing or IT suppliers) will also have new responsibilities.
Affirmative consent requirements for processing
One of the key principles for processing data is that the procedure must be fair and lawful. The bases on which data is processed are a key area of reform. The current rules are often interpreted too widely by data controllers.
One basis for fair and lawful processing is gaining the individual's consent. Practice has arisen in many industries whereby consent is implied by the actions or inactions of the data subject. Under the GDPR this practice will no longer be accepted. Consent must be freely-given, specific, informed and unambiguous
Privacy by design obligations
Organisations will be obliged under the GDPR to adopt an approach that promotes privacy and data protection compliance from the outset. All businesses in high risk situations should consider carrying out Data Protection Privacy Impact Assessments.
Potential fines for security breaches
The GDPR introduces stronger enforcement action where there is a breach of the data protection rules, including fines of up to 4% of an organisation's turnover. Enforcement action will be unified across the EU with each national supervisory authority authorised to take action.
Enhanced rights of Data Subjects
The rights of individuals in relation to their personal data have been enhanced under the GDPR. This impacts on the information which should be included in privacy policies and procedures and the way in which data subject access requests from individuals should be handled.
Appointment of Data Protection Officers
A properly equipped Data Protection Officer (DPO) can prove invaluable to an organisation dealing with vast amounts of data. The GDPR requires certain organisations to appoint a DPO to oversee compliance with data protection due to their size or business operations. This is a new requirement for those dealing with personal data in the UK although other EU Member States already require some organisations to have a DPO in place.
The GDPR applies to the personal data of all individuals within the EU and organisations processing their data are required to comply with the GDPR, regardless of whether those organisations are based within the EU themselves. In the age of data sharing, personal data may be processed in a number of different jurisdictions and the GDPR makes provision for identifying which data protection authority will supervise cross-border organisations.
How to prepare for the EU General Data Protection Regulation?
Whether you are at the start of a journey towards data protection compliance or you already have data protection compliance processes in place, you need to start planning now for the GDPR coming into force in 2018.
Initial preparation has been made easier for businesses by the introduction of a 12 step checklist by the Information Commissioner's Office (the ICO), which we have detailed in our recent blog: ICO's 12 Steps Checklist: How to Prepare for EU Data Protection Reforms. This checklist highlights and codifies the essential steps which businesses must consider now to prepare themselves for the GDPR.
Contact our Specialist Compliance and Regulatory Lawyers
Here at MacRoberts, we have extensive knowledge and experience in dealing with compliance and regulatory matters. We can help you with the assistance you need to take proactive measures in ensuring compliance to stop you falling foul of any relevant laws and regulations.
Our Compliance and Regulatory team, headed by Partners David Flint, David Gourlay and Val Surgenor, has an impressive reputation in the legal and commercial markets and take the time to understand your business, your drivers and your risks, tailoring the advice we provide around you.
We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs.
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.