Data Protection: Reloaded

  • July 17, 2017
  • By Hunters Law

Data Protection: Reloaded

The data protection regime which is currently meant to provide our electronic life with basic privacy and protection is set out in the Data Protection Act 1998 and in related legislation.  The 1998 Act in turn implemented the European Data Protection Directive of 1995 into UK law.  That was a very different age from today’s world, where pretty much everything about us, from our bank details, over social networking activities and holiday photos down to our medical history is a piece of data available at the touch of a button and we are directly or indirectly identifiable to the many sites and service providers which we rely upon (and many we don’t).

The press has been awash with examples recently of wholesale data breaches and of personal data being illegally accessed while entrusted by customers to organisations such as telecom service providers and banks.  A revamp of the data protection rules has long been overdue to make them fit for an increasingly digital, technological and globalised world, and to give enforcement more teeth.  Again, the impetus is coming from the EU with the aim of providing greater data protection for EU citizens.  The new General Data Protection Regulation (GDPR) will be directly applicable in all EU member states from 25 May 2018, by which time organisations that process our data will have to be compliant with the new requirements.  In the UK, the GDPR will replace the 1998 Act, Brexit notwithstanding, and the anticipation is that, following Brexit, the rules will be incorporated initially unchanged into national UK law.

The new Regulation is aimed both at harmonising and enhancing the regulatory framework governing data privacy and at transforming the approach that organisations take to protecting you and me (or ‘data subjects’, in tech speak) from infringements of privacy laws.  So how exactly will the GDPR strengthen data protection?  First, the requirement of consent to the use of personal data will be strengthened and made more transparent while at the same time making it easier to withdraw consent.

Secondly, both data controllers, who determine the purpose and means of collecting personal data, and data processors, such as cloud service providers, must comply with a strict notification policy: a data protection breach which poses a risk to individuals must be notified to the national supervisory authority within 72 hours and to affected individuals without undue delay.

Thirdly, the GDPR vests greater power in data subjects to obtain information on, gain access to, and exercise control over any personal information that is being processed about them and why; the ‘right to be forgotten’ will also be strengthened.

‘Privacy by design’ will become a legal requirement, meaning that controllers must incorporate data protection systems at the outset of their activities rather than to add procedures and frameworks at a later stage.

The GDPR will simplify and harmonise the role of Data Protection Officers and it will generally no longer be necessary to submit notifications and registrations to local Data Protection Authorities.

Importantly, the GDPR will extend data privacy for EU citizens beyond the physical boundaries of the EU: even if an organisation is located outside of the EU it must still comply with the GDPR requirements when processing the personal data of EU citizens.  The GDPR will enable substantial sanctions to be imposed on organisations found in breach of its requirements and in circumstances where there has been a serious infringement, fines of up to 4% of annual global turnover or €20million can be imposed, whichever the higher.  Let’s hope that these enforcement powers will be used to give real effect to data protection and privacy.  Not surprisingly, many organisations that collect and process personal data have already started to adapt to and implement the new regime.

Gregor Kleinknecht


Hunters Solicitors

This article was originally published in Discover Germany and can be accessed on page 124 here

Related News

Oct 20, 2021
Partner Richard Baxter is attending the FT Live’s The Banking Revolution
Oct 18, 2021
Richard Baxter and Constance Tait discuss considerations for dispute resolution and M&A scenarios
Sep 29, 2021
Richard Baxter outlines lessons for business owners from an abortive company sale and purchase transaction
Sep 22, 2021
Stephen Morrall examines worker status in the gig economy in Economy Standard
Jul 22, 2021
Gregor Kleinknecht and Constance Tait examine the impact on trademark litigation and provide 10 tips on navigating the post-Brexit era in Managing IP
Jul 16, 2021
Gregor Kleinknecht and Anastassia Dimmek examine the growing threat of zombie firms in Lawyer Monthly
Jul 07, 2021
Richard Baxter and Constance Tait examine a report suggesting that firms with targeted support for ethnic minority workers see benefits
Jun 28, 2021
Richard Baxter discusses UK-EU Data Protection and how adequacy decisions avoid imminent disruption to data flows
Jun 23, 2021
Richard Baxter and Constance Tait examine the recent Burnell v Trans-Tag Ltd case in the High Court
Jun 22, 2021
Anastassia Dimmek discussed the key challenges of protecting clients’ healthy businesses from zombie firms in a webinar hosted by Advoselect

© Hunters Law LLP 2021 | Privacy NoticeLegal & Regulatory | Cookies Policy | Complaints Procedure.

Hunters Law LLP is authorised and regulated by the Solicitors Regulation Authority (number 657218)