The European Parliament has finally approved the GDPR and the official texts of the GDPR were published in the EU Official Journal on the 4th May 2016. It will become applicable in all member states on 25 May 2018.
The Regulation will apply to any organisation within the EU which processes personal data and it will also apply to organisations based outside of the EU but which process personal data of EU citizens. Key features include an increased emphasis on giving individuals control of their data, new measures to increase accountability of data controllers and additional data security requirements including an obligation to impose contractual conditions on third party processors e.g. cloud providers.
In the UK the Information Commissioners Office (ICO) advocates preparing early for the GDPR and organisations should make good use of the 2 year implementation period to do so. Recommended steps to take include:
- Review systems and data flows to determine what changes need to be made;
- Allocated appropriate resources and appoint a member of staff to manage the process;
- Update /put in place policies that deal with processing of personal data and responding to security breaches;
- Train your staff on the new data protection regime.
It is essential that companies know what needs to be done in order to comply with the GDPR because the maximum fines for non-compliance are 4% of the organisations’ annual global turnover or €20 million, whichever is greater.
If you would like to find out more about the GDPR and how to prepare for it please visit http://ec.europa.eu/justice/data-protection/reform/index_en.htm.
EU-US Privacy Shield
The draft EU-US Privacy Shield has been introduced to replace the ‘Safe Harbor’ framework which was held to be invalid by the European Court of Justice in October 2015 in the wake of the Edward Snowden allegations of mass and indiscriminate government surveillance of EU citizens’ data in the US.
Under the Privacy Shield, US companies are obliged to protect Europeans’ personal data to ensure ‘adequate protection’. It establishes oversight mechanisms and imposes sanctions on companies to ensure compliance. The Privacy Shield also establishes many avenues of redress for EU citizens in cases of complaints regarding the handling of their personal data.
Additionally, for the first time ever, the US government will have to give a written assurance that any access by public authorities or government bodies will be subject to clear limitations and safeguards, thereby providing a greater level of data protection for EU citizens.
In April 2016, the EU Article 29 Working Party criticized the current draft claiming that it did not go far enough in offering EU citizens an adequate level of protection for their personal data, notably that it did not sufficiently address the mass collection of personal data by the US authorities which was the crucial factor in the Schrems case which led to the Safe Harbor agreement being declared void. Negotiations on the Privacy Shield continue. If you would like to keep track on its progress please visit: http://europa.eu/rapid/press-release_IP-16-433_en.htm
UK Cyber Security Strategy annual report published
In April 2016 the Government published their annual report on the UK Cyber Security Strategy 2011 - 2016.
The report claims that the 2011 -2016 Strategy has made “tangible progress in galvanising the national response to the cyber threat”. However, the report recognises that this is not sufficient to tackle the threat to cyber security which does not seem to be abating.
The Government have therefore decided to launch a new 5 year Strategy later on this year. As part of this, the Government will invest £1.9 billion to provide the UK with the “next generation of cyber security”.
If you would like to read the 2016 annual report please visit: https://www.gov.uk/government/publications/the-uk-cyber-security-strategy-2011-2016-annual-report.
If you would like to read the 2011-2016 Strategy please visit: https://www.gov.uk/government/publications/cyber-security-strategy
Information Commissioner’s Office (ICO) publishes encryption recommendations
In March the ICO released updated guidance regarding the use of encryption to reduce the impact of a data breach.
The Data Protection Act 1998 does not specifically refer to ‘encryption’, however, it does state that organisations should take “appropriate technical and organisational measures” to prevent loss or damage to personal data. The ICO’s new guidance suggests that encryption is such a measure.
In the guidance, the ICO has stated that where data breaches occur and encryption measures were not in place, regulatory action may be pursued.
If you would like to find out more about encryption please visit: https://ico.org.uk/media/for-organisations/guide-to-data-protection/encryption-1-0.pdf
ICO releases a statement on the impact of Brexit on data protection
In a statement issued on 28 April 2016, the ICO stated that the UK “will continue to need clear and effective data protection laws, whether or not the country remains part of the EU”.
However, Brexit could potentially have a larger impact on UK data protection laws than the ICO suggests. For example, in light of the EU-US Privacy Shield, if the UK were to leave the EU, we may have to be approved by the European Commission as a safe destination for EU personal data. Given that the transfer of data is essential to trade in this digital era, this could have a significant impact on UK businesses.
You can find the ICO’s statement here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/04/statement-on-the-implications-of-brexit-for-data-protection/.