Updated Cookies Policy - you'll see this message only once.
Embarrassing photos are a part of almost everyone’s past. Those of us who had long since grown up before the advent of social media would doubtless be relieved to know that most of these photos only exist in a long-since forgotten box in an attic somewhere. New data protection rules will mean the next generation of embarrassed adults could see their digital footprint suffer a similar fate, as the GDPR is introduced.
The new rules will mean more than just the much-reported ‘right to be forgotten’ though – the UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), has described GDPR and the associated reforms as being “the biggest change to data protection law for a generation.”1
GDPR will be introduced in full in the UK on 25 May 2018, despite Brexit. It should be noted that although GDPR introduces many new and enhanced requirements, the principles for managing data that sit at the heart of the new law are largely unchanged from the existing EU Data Protection Directive and the UK Data Protection Act 1998.
The so-called ‘right to be forgotten’ provision is one element among a raft of significant changes – fundamentally designed to harmonise data protection laws across the EU, and to enhance the rights of consumers and citizens in the information age.
This is a qualified right that could apply to all organisations and should be considered for all personal data, though it is primarily aimed at information that is available online, especially information about a child or information that was published when the individual was still a child.
Broadly, if your business is handling personal data then you’ll be subject to GDPR. The UK government has decided to adopt GDPR in full to ensure that the UK continues to provide high standards for data protection, and ultimately so personal data can continue to flow unhindered between the UK and the EU after Brexit.
GDPR applies to all companies within the EU that handle personal data but also to organisations outside of the EU that offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU. This extraterritorial scope gives GDPR a long reach.
The maximum fine that the ICO can impose for a data breach will increase from the current £0.5m to £17m or 4% of global turnover from the previous financial year, whichever is higher. However, the ICO has emphasised that under the current rules, they have never imposed a maximum £0.5m fine, and that in 2016/17, they imposed just 16 fines from a total of 17,300 cases.
Financial penalties for non-compliance of GDPR are likely to continue to be reserved for only the most serious breaches, but the increased potential fine highlights the importance of data protection.
The ICO recommends that businesses appoint someone responsible for data protection compliance. Many businesses will have such a person in place already. However, public authorities, organisations that carry out ‘systematic monitoring’ of individuals or large-scale processing of higher risk personal data (such as information about a person’s health, religion or race) or criminal convictions will be required to have a named Data Protection Officer (DPO).
The DPO is not personally responsible for compliance breaches, however – that liability remains with the organisations themselves.
|Key points of GDPR|
|Maximum fine of £17m or 4% of global turnover from the previous financial year.|
|Increased accountability for organisations, including being able to demonstrate compliance through appropriate technical and organisational measures, including the implementation of appropriate data protection policies.|
|New and enhanced individuals’ rights, providing people with more control over their personal data.|
|More prescriptive requirements for organisations to be transparent to individuals about data protection - businesses will need to provide individuals with more granular privacy notices in a concise way, using clear and plain language.|
|Organisations will be required to notify the ICO and impacted individuals of higher risk data breaches, such as those likely to result in a risk such as fraud.|
|Specific requirements and restrictions relating to personal data processed about children.|
|Subject access requests – where a person requests data held on them – must be processed within a month, instead of the 40 days that they must currently be processed within, and normally at no cost to the individual.|
A specific list of what is or is not ‘personal data’ is not provided within GDPR. Broadly though, current rules define personal data as any data that can lead to an individual being identified or data that ‘relates to’ or is obviously about an identifiable individual. GDPR will expand this to specifically include online identifiers, such as IP addresses, and location data.
Whether or not the data you are handling is ‘personal’ will vary between organisations; the ICO has recommended that organisations document their data processing activities, and that an ‘information audit’ may be required in order to prepare for GDPR.
Accountability is the key watchword that GDPR introduces. Organisations are required to ensure they are compliant with the key principles of GDPR, but also that they are able to demonstrate their compliance, for example through their internal policies, procedures and controls.
Organisations must provide individuals with concise, transparent, intelligible and easily accessible privacy notices, using clear and plain language, including a requirement to signpost individuals’ rights.
If your organisation suffers a personal data breach, you may be required to notify the ICO within 72 hours of becoming aware of it.
Not all data breaches will have to be reported, only those where individuals are likely to suffer an outcome such as fraud, harm, misuse of data or loss of privacy, but it would be prudent to establish an internal process in your business for managing data breaches, and assessing whether these would then also need to be reported to the ICO. You may also need to report breaches to any individuals that are likely to be adversely impacted, such as your customers or employees.
GDPR is an important piece of legislation, and you should be thinking about its impact well ahead of the May 2018 implementation. While it may be a cause of concern for many businesses, it could also represent an opportunity as those businesses that are most able to demonstrate they are guarding their customer’s data, above and beyond the regulatory requirements, will have the opportunity to win new customers through a demonstration of mutual trust and respect.
The purpose of this article is not to provide legal advice but instead to give a brief overview of the new rules and direct you to other sources of information. If you have questions you may need to obtain legal advice.