The General Data Protection Regulation will come into force on 25 May 2018. Brexit will not finalise until Summer 2019 at the earliest, so the Regulation will apply to you. The new Regulation will replace the Data Protection Act 1998. This is happening because the form and way data is exchanged has transformed massively in recent years. While many principles in the new legislation remain the same, there are numerous additional obligations you will need to observe. Whether or not you have clients in the EU, post-Brexit UK regulations are likely to remain the same or be very similar to the new Regulation in order to enable the UK to trade with the EU. So, ultimately, you will still need to comply. Compliance will require significant investment. And getting it right will involve prioritisation, corporate culture and risk-tolerance assessments.
What is going to change?
Data controllers will have to ensure they have legal justification for processing data, but the bar on the four usually acceptable reasons will be set higher. There will be stringent new conditions on obtaining a valid consent. These will require procedures to be reviewed, existing contracts to be updated, terms and conditions to be changed and any policy/product application forms to be changed. There will be additional safeguards for consent from children. Controllers will need to demonstrate (by way of records?) that they have balanced their legitimate rights to process data without breaching the fundamental rights and freedoms of the individual. Data processors will become subject to new and much more stringent rules, with a new data protection officer with new records to be maintained and security measures demonstrated. Accountability will need to be demonstrated/evidenced and audited. There will be new “rights to be forgotten”, and “data portability rights” will likely require IT system changes. More prescriptive data notices will be required. Data profiling will have new rights attached to it.
Not surprisingly, data security features highly and there is an obligation to have appropriate data security measures along with mandatory duties to notify breaches to the DPA within 72 hours and the data subject. There is to be a significant increase in the cost of consequences of a breach, including direct liability for data processors.
Data issues for employers?
The regulations bite in all areas and just as much so for employers and of particular significance is data like CCTV at work, lift/floor access information, data on computer logon, and data on websites visited/telephone calls/emails. Much of this data may be unstructured or may be personal data or sensitive personal data or even data about a child. Employers need to ensure that they have structured processes and rules for access to this data and its processing.
What should you be doing now?
If you are only just starting out, you can read the ICO’s very helpful website.
If you have already on your journey then audit your current processes fully and compare them to the new requirements. Alternatively, instruct a lawyer to do so.
You can also check the key concepts of the new regulations and how they interact with your existing ones by viewing our comprehensive table.