Data Protection is not the most glamorous of subjects. You probably dealt with ‘that data protection issue’ years ago when the Data Protection Act 1998 came along, made sure all your processes and contracts were fully compliant and gave yourself a pat on the back as a result.
Well, after years of discussion and debate, things are changing again – so say hello to the EU’s brand new General Data Protection Regulation (GDPR).
First, congratulations: you have overcome the first hurdle – you now know the GDPR exists. The second step is understanding the new data protection regulations and how they will affect your organisation.
Brexit
But let’s start with the B-word: Brexit. You may read this thinking that, given Brexit, the GDPR is now irrelevant. This is not true and the GDPR will automatically come into force in every EU member state in May 2018 – at a time when the UK is still very likely to be part of the EU. Therefore, your business will need to comply. Even after Brexit, the GDPR will continue to apply if your business:
- Has a presence in the EU; or
- Does not have physical presence in the EU (and does not process personal data in the EU), but still:
- Offers goods or services to individuals in the EU (payment is not required); or
- ‘Monitors’ the behaviour of individuals in the EU (for example, if your non-EU based website uses tracking cookies to analyse consumer behaviour).
Those of you familiar with the existing regulations may notice this is a departure from current legislation which applies only if personal data is processed within the walls of the EU.
Consent
The requirements for consent will be tightened. Clear positive consent will be needed. Silence or pre-ticked boxes on your website will not constitute valid consent. You will have to give your data subject the right to withdraw consent at any time. In practice, this will mean you should allow them to withdraw consent using the same method that you used to obtain it in the first place.
Special Categories Of Personal Data
You may already be familiar with the concept of ‘sensitive data’ from existing legislation. ‘Sensitive data’ includes information concerning racial or ethnic origin and heath generally. There are other categories of information too, but newly added to the list will be genetic and biometric data.
Data Governance
New obligations will be imposed on your business to show that you have considered and integrated compliance measures into your day to day activities. This may mean adopting appropriate data protection policies, staff training and appointing a data protection officer.
Also formalised is the requirement of Privacy Impact Assessments (PIAs). You will need to complete a PIA before doing any ‘high risk’ data processing. If you cannot mitigate the risk of such high risk processing, you will be required to consult the Information Commissioner’s Office.
In a significant departure from existing legislation, the GDPR will require you to have formal contracts with any service providers who process personal data on your behalf – and ensure they comply with their obligations under the GDPR. Equally, if you are processing data on behalf of a third party, the GDPR will place specific legal obligations on you for the first time and make you liable for breaches you are responsible for.
Right To Erasure
More commonly known as the ‘right to be forgotten’, whilst not absolute, it will give data subjects the right to have their personal data erased in specific circumstances
– such as where the personal data is no longer necessary for the purpose for which it was originally collected or processed.
Data Portability
This is a new concept. It will oblige you to provide to the data subject personal data you hold about them in a structured, commonly used and machine readable form. Interestingly, it will only apply to personal data the data subject has supplied to you themselves. There is uncertainty about how this will work in practice, but it is likely to result in additional administration for you and less for your customer.
Data Breach Notification
If you accidentally or unlawfully destroy, lose, alter, disclose, or give access to, personal data a requirement to notify the Information Commissioner’s Office will be triggered. This is a new requirement. You may be tempted not to notify to avoid any bad publicity, however failure to notify risks an administration fine of up to €10,000,000 or two per cent of the total worldwide annual turnover in the preceding year – whichever is higher.
For the most serious breaches the penalty is doubled to €20,000,000 or four per cent of total worldwide revenues. You have been warned!
It is not too early to start planning ahead for these changes. If you would like to know more (and there is a much, much more), please contact Emma Toes (née Ward) of another member of Nelsons’ Commerce & Technology team on 0800 024 1976.