The UK currently adheres to the UK Data Protection Act 1998. However, this will be superseded by the much tougher GDPR despite Brexit; which was agreed in December 2015 in Brussels. It is imperative that all businesses (whatever the size) who control or process personal data understand the implications and requirements they MUST update or adopt to be fully compliant or face bankruptcy fines.
What is the GDPR?
The General Data Protection Regulation (GDPR) is designed to enable people to better control their own personal data. The EU regulation has evolved after 4 years of work and is intended to unify data protection legislation as a result of how data has transitioned and is now currently being used. There are 99 articles within the GDPR that set out the obligations on companies and the rights of individuals.
When will it come into effect?
The GDPR will come into force before the UK leaves the European Union on 25 May 2018, and the government has confirmed that the Regulation will apply, a position that has been confirmed by the Information Commissioner. There will be a UK bill too.
Why has the GDPR been created?
Current legislation is out of date with how the internet and cloud technology has shifted to find new ways of exploiting data. So, the EU initiated this regulation to allow people to have more control over how their personal data is being used.
It is hoped that these modernised and unified rules will also allow businesses to make the most of the opportunities of the Digital Single Market by reducing regulation and benefiting from reinforced consumer trust.
Personal data definition
Under the new legislation personal data must be transparently and lawfully processed for a specific purpose. Once that purpose has been completed it should be deleted.
Right to erasure (“The right to be forgotten”)
The regulation offers clear guidelines on ‘the right to be forgotten’. Individuals will have the ability to demand that their data is deleted if it is no longer required in relation to the reason it was originally collected.
Full details can be found in GDPR Chapter 3: Rights of the data Subject, Article 17
Who does the GDPR apply to and its obligations on Companies
Processor definition – a natural or legal person, agency, public authority or other body which processes personal data on behalf of the controller
Controller definition – a natural or legal person, agency, public authority or other body which, alone or jointly with others, determines the purposes and means of processing of personal data
• All public authorities will be required to appoint data protection officers (DPO) under article 35 of the GDPR.
• All individuals, companies and organisations that ‘control’ or ‘process’ data will need to adhere to the GDPR.
• Controllers must ensure they store people’s data in more regularly used formats such as CSV files, in order to transfer to different organisations within one month should a person request it (free of charge).
Full details can be found in GDPR Chapter 4 (Art. 24-43) Controller and processor
Penalties under the GDPR
The cost of non-compliance for organisations will result in administrative fines of up to 4% of annual global turnover or €20 million, whichever is greater. The scale of these fines could simply result to company insolvency.
Should a company suffer a data breach that risks people’s rights and freedoms, they must inform their data protection authority within 72 hours of discovery. Failure to do so could mean facing a penalty of up to 2% of the organisation’s annual global revenue, or €10m, whichever is the highest.
UK businesses must not be complacent as the GDPR legislation will be enforced either as UK domestic law if the UK remains part of the European Economic Area (EEA) or under another “national badge” should the UK leave the EEA after Brexit. Furthermore, the UK government published plans for a new Data Protection Bill in August 2017 that on the whole matches GDPR's own requirements; this will replace the UK’s current Data Protection Act.
Obligations need to be precisely defined by data controllers and processors to avoid exposure before the end of the 2-year implementation period.
Companies must understand the legal basis for acquiring, holding and processing data and have compliance accountability procedures in place. As well as having suitable technology to comply with imposed requirements on data deletion and data portability.
All systems and processes will need to incorporate data subject’s privacy rights as well as a clear policy / procedure for any potential security breach. Compliance will include checking any third-party “processors” to ensure all procedures are implemented or updated.
The Information Commissioners Office (ICO) has drawn up a useful 12-point checklist to help organisations prepare for when the GDPR comes into force next year.