In May 2016, the General Data Protection Regulation (GDPR) was approved by the European Union to come into effect from 25th May 2018.
As a Regulation, it is directly applicable across all EU Member States without the need for national legislation and will replace all current data protection legislation. For the United Kingdom, GDPR will replace the 1998 Data Protection Act.
Despite Article 50 of the Lisbon Treaty finally being invoked in March, there is no doubt that the UK will still be a Member State of the EU on 25th May 2018 so this will happen and the Information Commissioner’s Office (ICO) is proceeding on this basis.
Indeed, although all EU Regulations would void on the date the UK leaves the EU, the early indications are the government would legislate to preserve much or all of GDPR.
In any event the territorial reach aspect of GDPR specifies that a company outside the EU which is “monitoring the behaviour of, or offering goods and services to, citizens in the EU” will be subject to the rules. As a result, many UK businesses and group will still be affected after Brexit whatever the UK government does.
GDPR has six defining principles:
- The data is processed fairly, lawfully and in a transparent manner in relation to the data subject.
- The data is collected for specified, explicit and legitimate purposes and not further processed for other reasons incompatible with the original purpose.
- The data is adequate and relevant but limited to that necessary in relation to the purposes for which data is processed.
- The data is accurate and, where required, kept up to date.
- The data is stored in a form that permits identification of data subjects for no longer than is required for the purposes for which the personal data is processed.
- The data is processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
GDPR has greatly broadened the rights of the data subject including the ‘right to be forgotten’ and to receive back their personal data in a structured and standard format so that it can easily be transferred, so called ‘data portability’.
For children under sixteen, GDPR states that the provision of personal data ‘information society services’ such as social networking sites will be subject to parental consent.
It is absolutely clear that this new regime will place much greater demands on businesses holding personal data to evidence compliance.
The concept of ‘data protection by design’ obliges the inclusion of explicit data protection controls at the blueprint stage of new projects involving the processing of personal data. Should the project be deemed potentially high risk under the ICO guidelines, a data protection impact assessment would be mandatory.
Internal records must be maintained for all personal data processed including the details of the purpose, the recipients, the time line for deletion and an overview of the technical and organisational measures in place to protect the data.
However, the most dramatic change is in the area of security breaches and the ensuing penalties. Under the Data Protection Act, there is no requirement to inform the ICO of a breach although there is an expectation for the ICO to be informed of “serious” breaches.
GDPR requires that, as soon as a company becomes aware a personal data breach has occurred, it should without delay and, ideally within seventy-two hours, notify the the ICO, unless the company can clearly demonstrate that the breach is unlikely to jeopardize the rights and freedoms of the data subjects.
If there is a high likelihood an individual’s rights and freedoms have been infringed by the breach, they must be notified promptly to allow them to take the requisite precautions and given guidance on the measures to take to mitigate potential detrimental effects.
Under the Data Protection Act, the ICO can issue penalties of up to £500,000 for the most serious breaches. GDPR will instigate a tiered mechanism for penalties that for the most severe breaches will be the higher of 4% annual worldwide turnover or €20m and for lesser breaches be up to 2% annual worldwide turnover or €10m.
As is frequently the case, although we are nearly halfway through the time until GDPR comes into force, many, probably most, companies have not started making preparations. Make no mistake, every company that holds personal data will to a greater or lesser extent be impacted.
Whether it is the transparency of your privacy notices and policies, reviewing the legal basis for using personal data, implementing in-house procedures or staff training to meet the requirements of GDPR, there is much to be done.
Data security needs to be at the heart. Systems that hold personal data must be reviewed to ensure that they are fit for purpose and secure from both internal and external breaches. We are in the age of two-step verification which should be the default minimum.
If a breach does occur, it is essential that the procedures are in place and understood to allow timely action.
The ICO have published a guide ‘GDPR: 12 Steps To Take Now’ that can be downloaded here. If you have any questions or would like any further information on how GDPR will affect your business, please email tax@cooperfaure.co.uk.