The recent Cambridge Analytica/Facebook revelations have put data privacy issues firmly in the spotlight. The timing could not be better for strengthening the case for the imminent data protection reform which is to be implemented by the General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018, from 25 May 2018.
Businesses ignore the new regime at their peril, as non-compliance can result in large fines (up to €20 million or 4% of total worldwide annual group turnover) and reputational damage. As the deadline for compliance approaches, it is crucial that businesses are aware of the main of the main changes that will be introduced under new regime and adapt their data protection processes appropriately.
One of the main changes introduced by the GDPR is more stringent rules around consent. The data subject must freely give their specific, informed and unambiguous consent to processing of their data or there must be another legitimate reason for processing (such as where processing is necessary for entering or performing a contract with the data subject, for compliance with a legal obligation to which the data controller is subject, or to protect the vital interests of the data subject).
Data subjects will also be given extensive new rights, including the right to withdraw consent to processing, the right to request rectification or erasure and a right to data portability. The right for a data subject to make a subject access request remains but the timescale for compliance has been reduced to one month (from 40 days) and the data must generally be provided free of charge.
Certain businesses will be required to appoint a data protection officer who must maintain a record of all processing operations under their responsibility. Data controllers and data processors must also implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected.
The GDPR establishes a mandatory system in relation to the breach of data security. Data controllers must notify any personal data breach to their national supervisory authority without undue delay and in any event within 72 hours of becoming aware of it. If the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller must also communicate the personal data breach to them without undue delay.
The GDPR restricts transfers of personal data outside the EU in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined. Any data transfers to other countries should be covered by bi-lateral third country agreements for example, the Privacy Shield framework with the US, or where no bilateral agreement exists, other adequate protection will need to be in place for data transfers.
Implementation of data privacy and data security measures will be an evolutionary process. Businesses will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018. They may however, wish to consider taking the following steps now to work towards timely compliance:
> Run a data audit to assess what personal data is held, where, why and for how long.
> Consider what is the lawful reason for processing personal data and how is that recorded.
> Review who the business shares personal data with (for example clients and third party suppliers), why, and what controls are in place to protect that data.
> Adopt and implement data protection policies including internal and external privacy notices.
> Consider whether the business should appoint a data protection officer.
> Maintain documentation of the business’ processing activities.
> Implement appropriate security measures.
> Ensure that systems are in place to notify a personal data breach to the relevant supervisory authority and the data subject (where required).
> Create and maintain a register for recording data breaches including details of how the breach occurred and what steps were taken to resolve it.
> Ensure that the business is ready to respond to data subject requests (such as for a copy of all of the personal data held or to erase personal data).
> Identify all cross-border data flows, review data export mechanisms and update cross-border data transfer mechanisms if necessary.
There are aspects of the new regime which will require further guidance and case law to settle, and requirements will no doubt be refined over the coming months and years. In the meantime businesses should remember that GDPR represents a change in culture and a fundamentally different approach to compliance. It will not be enough just to be compliant, businesses will have to demonstrate that compliance.