The General Data Protection Regulation, GDPR, will replace the Data Protection Act in 2018 following its adoption by the European Parliament on 14th April. It is much tougher on businesses.
The EU has trumpeted the fact that it will be the same law across the whole of the EU and that it gives individuals:
- a right to be forgotten,
- the need for "clear and affirmative consent" to the processing of their data,
- the right to know when their data has been hacked, and
- privacy policies explained in clear and understandable language.
Higher fines of up to €20m or 4% of firms' total worldwide annual turnover should deter breaches.
Whilst the GDPR will regulate the activities of governments and big businesses that “deal in” data, like the big internet providers, it will also have a profound effect on ordinary businesses that hold the personal data of their employees or customers, and on providers or users of hosted IT services.
The requirement for recent “clear and affirmative consent” to the holding and use of individuals’ data in full knowledge of the purpose for which it is to be processed may kill off businesses which sell mailing lists of contact details.
Providers of hosted IT services will have to enter into comprehensive contracts with their customers setting out in detail the security measures they take to protect personal data, and their clients may have to audit those measures to satisfy them selves they are adequate. This will have a fundamental effect on much business contracting in the field of IT services.
Those processing personal data or using third parties to process it for them will need to keep detailed records of their processing activities, contracts and security measures. Any significant loss or corruption of personal data will have to be reported to the authorities.
IT systems may need to be re-configured to allow compliance. For example, data subjects must have an effective right to require their data to be deleted. The GDPR requires data protection to be engineered into new systems and existing arrangements will need to be updated to be compliant.
Businesses generally and particularly those specifically involved in dealing in, storing or using personal data or designing IT systems that involve the processing of personal data should start planning for the changes now.