Background to reform
Reform of EU Directive 95/46/EEC (upon which our beloved Data Protection Act 1998 (DPA) is based) has been on the cards since 2012. The need for reform is generally considered to be uncontroversial; the current law requires modernisation to reflect changes in technology and how personal data is processed. There is now an ever greater number of crossborder data transfers than before and an increase in cross-border business. More generally, recognition of the importance of individuals’ rights over their data requires reform of data protection law to provide for improved rights and strengthened enforcement.
The new EU General Data Protection Regulation (GDPR) will enable greater harmonisation across the EU and is more prescriptive as to what member states must do, and how, than the current Directive 95/46/EC.
Is the GDPR still relevant post-Brexit?
At the time of writing (October 2016), the answer to this question is not yet clear as the government is yet to decide and announce upon its approach to data protection reform as well as to the format of Brexit generally. However, it is expected that the GDPR is likely to still be of relevance for the UK. If Mrs May triggers Article 50 in March 2017, it is not expected that Brexit will occur until 2019 - by which time the GDPR will already have come into force (in May 2018) and, as an EU Regulation, it will become law immediately without the need for any implementing national legislation.
Will the government (which, it must be remembered, was involved in the EU-wide discussions and negotiations on the format of the GDPR) want to subsequently renege from it? If it does, it will need to tread carefully; even if the UK makes a clean break away from the EU, data controllers based in EU states will need to be satisfied that the UK ensures an adequate level of protection for the rights and freedoms of data subjects before transferring personal data to the UK. Further, all UK data controllers wishing to do business within the EU or monitor those within the EU will need to comply with the GDPR in order to do so.
So what do we do now?
In this time of uncertainty, whilst organisations await a clear direction of travel from the government, they should note the following:
- It is recommended that all organisations should ensure that they are fully compliant with the current DPA and all guidance and codes of practice issued by the Information Commissioner. All organisations should already be fully compliant with this piece of legislation - is your organisation confident that it is? Many of the steps set out in best practice guidance and codes of practice issued by the Information Commissioner will become mandatory requirements under the GDPR e.g. in relation to fair processing notices. Prepare your organisation by reaching the current gold standard now and it should be easier for your organisation to adapt to the data protection reform, whatever form that may take.
- All organisations should be aware of what personal data they hold, for what purpose and on what lawful basis, for how long and in what way. Experience has shown that even now some organisations have ‘inherited’ documentation through the latest round of NHS re-organisation which they have yet to fully get to grips with. Note that the GDPR’s definition of manual filing systems is broader than the definition of ‘relevant filing system’ under the DPA. The ICO’s overview of the GDPR confirms that this means something as simple as chronological boxes of manual records containing personal data will be caught.
- Is your organisation fully aware of any and all data processors they use or even if they are a data processor themselves? Is there a data processing agreement in place and is it fit for purpose? In a change from the current position under the DPA, the GDPR will impose responsibilities directly on data processors.
- Consider system readiness and responsiveness. For example, how easy is it for your organisation to currently respond to a subject access request? Rights of data subjects will be strengthened under GDPR, including a new general rule that (subject to certain exceptions) subject access requests should receive a response without delay and within one month of receipt. Could your existing systems cope? Note also that under the GDPR the ability to charge for subject access will be removed. How will your organisation manage the loss of those fees alongside the allocation of any additional resources that the GDPR, if implemented in the UK, may require for your organisation to be compliant? - Under the GDPR, there will be a new accountability principle whereby the data controller is under an explicit obligation to be responsible not only for compliance with the GDPR but also being able to demonstrate compliance. Record keeping and maintaining audit trails of good information governance practice will therefore become more imperative than ever before.