This year will mark one of the largest legal movements in data protection history – the formal adoption of the EU General Data Protection Regulation (the "GDPR").
The long-awaited GDPR brings significant changes to UK data protection law. Once in force, it may mean the EU has the most stringent data protection laws in the world. The GDPR is far-reaching - it can apply to anyone offering goods or services or monitoring behaviour on anyone in the EU. It is therefore imperative to be aware of the changes to ensure you have robust processes and procedures for dealing with data protection – whether as a data controller or data processor.
The Data Protection Act 1998 (the "DPA"), the cornerstone of UK data protection law, implements the EU Data Protection Directive 1995. Given that these laws came into force in the 1990s - when there was no cloud computing, social media etc - they are outdated. The GDPR, being a regulation, means it is "directly applicable" to all member states. As such, it will apply throughout the UK without the government needing to transpose it into national law.
The GDPR's final text has been agreed following trialogue. Key changes to the DPA in such text include:
- Higher fines – fines up to 4% of a company's worldwide turnover or €20,000,000 (whichever is higher) can be imposed following a breach of the GDPR. The maximum the Information Commissioner, the regulatory body responsible for data protection law in the UK, can currently impose is £500,000. So this is a significant increase.
- Mandatory notification – it will be mandatory to report all breaches of data protection to the Information Commissioner without undue delay and within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk for the rights and freedoms of individuals. Currently, this procedure is voluntary. It will also be mandatory to report breaches likely to result in a high risk to the rights and freedoms of individuals to the data subjects concerned.
- Sensitive personal data – stricter rules apply to processing of sensitive personal data such as medical information. What constitutes sensitive personal data has also been widened and will now include genetic and biometric data (e.g. retinal scans and fingerprints).
- Consent – obtaining consent will be harder. Silence or inactivity will not constitute consent. Consent must be freely given, specific, informed and unambiguous, provided by clear affirmative statement or action and which is able to be easily withdrawn. Businesses should not acquire consent by forcing a user to consent to one form of processing which is not necessary to the service the user is looking to receive. Parents will be required to provide their consent to the processing of children's personal data where those children are under a particular age (varying between 13 to 16 years old).
- Additional rights for data subjects - there will be a new right to transfer your data from one service provider to the other. There will also be a wider right to be forgotten than currently exists.
- Mandatory Data Protection Officers – data controllers and processors whose core activities consist of processing sensitive personal data and / or regularly and systematically monitoring data subjects on a large scale (including monitoring consumer behaviour) and public authorities (other than courts acting in a judicial capacity) must appoint a data protection officer. A data protection officer's role will be to deal with data protection issues for the organisation.
- Data Processors - The DPA currently only regulates data controllers (except if a data processor was to engage in criminal activity). The GDPR seeks to impose certain direct legal obligations on data processors as well as data controllers too. For example, data processors will be required to notify data controllers where there has been a breach and to obtain consent from a data controller before using any sub-processors. More detailed data controller to data processor contracts will be required.
While the changes may seem burdensome to businesses, there is a silver lining. The direct implementation of the GDPR will make all EU countries much more uniform in their approach to data protection. This means that multinational businesses can take more of a "one size fits all" approach with their processes and procedures as if such processes and procedures are lawful in one country, they are likely to be lawful in another EU country. Multinational businesses need not deal with each national data protection authority. Instead, they will only be required to deal with the data protection authority in their main place of establishment.
The GDPR is also designed to reduce "red tape" for businesses. For example, SMEs will no longer be required to notify the Information Commissioner that they are a data controller.
The GDPR is anticipated to be adopted by the European Parliament and Council shortly. It will come into force two years after it is formally adopted. Until the final text of the GDPR is approved, there is always the possibility that further changes could come into play. Businesses will, however, need to plan for these changes and ensure their processes and procedures are robust and fit for the upcoming changes and for data subjects having more control over their personal data. Data controllers and processors have just over two years to prepare for this significantly tougher regulatory environment. Do not underestimate the significant workload that may be required to ensure your organisation complies with the GDPR.