On 25 May next year the new General Data Protection Regulations (“GDPR”) will come into force and it has been billed as the largest overhaul of data protection law in 20 years. It should be noted that whilst the new regulations largely reaffirm the existing law and current underlying data protection principles, the GDPR does also widen key definitions and introduce new concepts, obligations and terminology.
To help pick through the regulations we have set out below five key things which you need to know about the GDPR and some thoughts on what businesses and organisations can be doing over the course of the coming year to prepare for its implementation.
UK businesses and organisations should be aware that as a European regulation, the GDPR will have direct effect in UK law. Those with a keen eye on the potential fallout from Brexit will note that its implementation date precedes the earliest possible date on which the UK may exit the EU. This means the GDPR is coming into force and will repeal the current Data Protection Directive and override the Data Protection Act 1998. If your business or organisation collects, records, uses, stores or processes personal data (which can include your employees or customers) and does so within the EU then the GDPR will apply (even if your business is based outside the territorial confines of the EU).
2. Not just controllers but processors too
Current data protection law draws a distinction between a ‘data controller’ and a ‘data processor’ in order to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility. Briefly, the data controller is the person which determines the purposes for which data is processed and therefore is the person which has had to carry data protection responsibility for it. A data processor is someone who processes the data on behalf of the data controller. Common examples of data processors would include HR providers who might provide payroll or advisory services or IT companies who provide support services or data network solutions.
One of the key changes in the GDPR is that data processors will have direct obligations for the first time and will be liable for sanctions if they fail to meet such obligations. These include an obligation to maintain a written record of processing activities carried out on behalf of each controller and a breach notification obligation under which processors must notify the controller on becoming aware of a personal data breach without undue delay.
3. Accountability and Transparency
Accountability and transparency are new principles which run through the GDPR. The enhanced focus on accountability may necessitate a cultural and attitudinal shift within some organisations. Under the GDPR organisations will need to act transparently with regards to their processing of personal data and be able to demonstrate and evidence exactly how they are complying with the principles of the GDPR.
Companies which have in recent years had to introduce policies and statements addressing issues such as bribery, anti-corruption or modern slavery will be familiar with the ethos of such risk based compliance, and the need to adopt a proactive, rather than reactive, approach. The guidance which has been emanating from the Information Commissioner’s Office (“ICO”) and the EU’s working party on data protection makes clear that in order to demonstrate compliance with the GDPR, and meet accountability standards, the sort of evidence that organisations ought to have in place would typically include:
- Data protection policies, codes of conduct and internal data handling procedures
- Data protection training for staff (including refresher and ongoing training)
- Evidential documentary trails showing how decisions concerning personal data were taken at senior levels
- Privacy Impact Assessments completed on a risk basis
- Data Audits
- Contractual data processing agreements where personal data is being processed by third parties.
4. Enhanced rights of data subjects
One of the main aims of the GDPR was to bolster the rights of individuals and it is no surprise, therefore, to find strengthened rights for individuals who are the subject of the personal data (data subjects) within the regulations. These include the right to correct data about them which is wrong, the right to restrict certain processing and a right to be forgotten in which an individual can require that their personal data is erased if it is no longer necessary.
These are also changes to the “right of access” which exists in the current law. Current law enables data subjects to request a copy of all information that an organisation might hold on them through making a “subject access request”. In the GDPR however data controllers must now respond to these requests for information within a month (rather than 40 days) and have in place clear processes and procedures to enable them to meet these obligations.
5. Breaches and Fines
Much has been made in the press, particularly in the wake of the most recent cyber security breaches, of the enhanced sanctions which will be available to supervisory authorities under the GDPR. In the UK, the ICO can already levy fines on data controllers who commit breaches of the law or suffer serious data breaches. However, under the new regime both data controllers and third party data processors can face sanction with the maximum fine limit being increased substantially for the most serious cases of up to €20m or 4% of an organisation’s global turnover (whichever is the greater). Whilst the imposition of such fine should be effective and proportionate, they are mutually aimed at being dissuasive.
It is impossible to completely eliminate the risk of breaches of personal data. Under the GDPR however, even in cases where an accidental breach of personal data has occurred, data controllers must notify most data breaches to the ICO. Data processors who suffer breaches will also have an obligation to notify the relevant controller. In both cases this must be done without undue delay and, where feasible, a controller should notify the ICO within 72 hours of awareness. It is more likely under the GDPR that controllers will also have to report to the individuals whose data has been compromised.
What can organisations be doing between now and next May?
We now have a year until the GDPR come into effect and this may mean that organisations need to use that time to start moving away from the notion that data protection is simply something for their IT team or HR staff to deal with.
Organisations which handle lots of customer data or those businesses which process data on behalf of others may wish to use the next year to carry out some house-keeping. A simple start might be to undertake out a basic internal audit which would map out where personal data is used, processed and stored across their organisation.
Businesses should also start reviewing their training and policies to ensure that they have the right procedures in place to detect, report and investigate a personal data breach.
If this article raises any questions for you, please speak to our data protection experts.
Note: The content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in any particular circumstance.