Data Protection: Reloaded
The data protection regime which is currently meant to provide our electronic life with basic privacy and protection is set out in the Data Protection Act 1998 and in related legislation. The 1998 Act in turn implemented the European Data Protection Directive of 1995 into UK law. That was a very different age from today’s world, where pretty much everything about us, from our bank details, over social networking activities and holiday photos down to our medical history is a piece of data available at the touch of a button and we are directly or indirectly identifiable to the many sites and service providers which we rely upon (and many we don’t).
The press has been awash with examples recently of wholesale data breaches and of personal data being illegally accessed while entrusted by customers to organisations such as telecom service providers and banks. A revamp of the data protection rules has long been overdue to make them fit for an increasingly digital, technological and globalised world, and to give enforcement more teeth. Again, the impetus is coming from the EU with the aim of providing greater data protection for EU citizens. The new General Data Protection Regulation (GDPR) will be directly applicable in all EU member states from 25 May 2018, by which time organisations that process our data will have to be compliant with the new requirements. In the UK, the GDPR will replace the 1998 Act, Brexit notwithstanding, and the anticipation is that, following Brexit, the rules will be incorporated initially unchanged into national UK law.
The new Regulation is aimed both at harmonising and enhancing the regulatory framework governing data privacy and at transforming the approach that organisations take to protecting you and me (or ‘data subjects’, in tech speak) from infringements of privacy laws. So how exactly will the GDPR strengthen data protection? First, the requirement of consent to the use of personal data will be strengthened and made more transparent while at the same time making it easier to withdraw consent.
Secondly, both data controllers, who determine the purpose and means of collecting personal data, and data processors, such as cloud service providers, must comply with a strict notification policy: a data protection breach which poses a risk to individuals must be notified to the national supervisory authority within 72 hours and to affected individuals without undue delay.
Thirdly, the GDPR vests greater power in data subjects to obtain information on, gain access to, and exercise control over any personal information that is being processed about them and why; the ‘right to be forgotten’ will also be strengthened.
‘Privacy by design’ will become a legal requirement, meaning that controllers must incorporate data protection systems at the outset of their activities rather than to add procedures and frameworks at a later stage.
The GDPR will simplify and harmonise the role of Data Protection Officers and it will generally no longer be necessary to submit notifications and registrations to local Data Protection Authorities.
Importantly, the GDPR will extend data privacy for EU citizens beyond the physical boundaries of the EU: even if an organisation is located outside of the EU it must still comply with the GDPR requirements when processing the personal data of EU citizens. The GDPR will enable substantial sanctions to be imposed on organisations found in breach of its requirements and in circumstances where there has been a serious infringement, fines of up to 4% of annual global turnover or €20million can be imposed, whichever the higher. Let’s hope that these enforcement powers will be used to give real effect to data protection and privacy. Not surprisingly, many organisations that collect and process personal data have already started to adapt to and implement the new regime.
This article was originally published in Discover Germany and can be accessed on page 124 here.