Data Protection legislation in the EU comprises the set of measures that organisations must comply with when storing, processing and transferring personally identifiable information to ensure that is used lawfully, is not retained excessively and is kept secure. This regime is being updated in the form of the General Data Protection Regulation (GDPR), the new legal framework by which EU Member States must treat and protect personal data which is coming into force on 25 May 2018. Because it is a Regulation rather than a Directive it will become law in the UK from day one.
Key changes implemented by the GDPR include the following:
- The definition of personal data will be broader.
- Consent to process an individual’s data will need to be more explicit, revocable and narrower in scope.
- The rules will now apply to Data Processors as well as Data Controllers.
- Fines for non-compliance will be hiked from the current maximum of £500,000 to the greater of €20,000,000 or 4 per cent of annual worldwide turnover.
- Many organisations will need to appoint a Data Protection Officer.
- ndividuals will be able to exercise their right to an access request without being charged a fee.
- Individuals will have the new rights to have their data erased or transferred to new service providers.
- A breach which prejudices an individual’s rights must be notified to the authorities within 72 hours. In serious cases the affected individual must be notified also.
Many organisations may be affected but some may not realise it, or may under-estimate what it will take to comply, due to the following common misconceptions:
- The GDPR is an EU Regulation but Brexit will not mean Brexit in this case. The UK is implementing the Regulation in full anyway (having been one of the countries pushing for it) and will not be revoking it once it leaves. In any case, the GPDR will also apply to organisations in non-Member States supplying goods and services into the EU.
- A higher standard applies to sensitive personal data (such as data relating to health, political beliefs and ethnicity). Businesses should not assume that they do not hold any such data because they are not the NHS or MI5. Many hold details on employees’ medical conditions so that office first aiders know what to do in an emergency. Others hold details of ethnicity, disability and sexual orientation to meet diversity targets. They need to be sure that it is kept securely and that the requisite consent has been obtained from the subjects in question.
- The task of ensuring compliance cannot just be dumped on some unlucky individual in one of the administrative departments. It will need the buy-in of management, a budget for expenditure required and a joined-up approach by Legal, HR, IT and Marketing.
May 2018 seems a long way off but it is not. The sooner organisations start preparing for the new regime, the easier the exercise will be and the less likely it will be that, post-May, they will be fined for non-compliance or sued by a disgruntled individual whose personal data has been misused.