Data Protection: Reloaded

  • July 17, 2017
  • By Hunters Law

Data Protection: Reloaded

The data protection regime which is currently meant to provide our electronic life with basic privacy and protection is set out in the Data Protection Act 1998 and in related legislation.  The 1998 Act in turn implemented the European Data Protection Directive of 1995 into UK law.  That was a very different age from today’s world, where pretty much everything about us, from our bank details, over social networking activities and holiday photos down to our medical history is a piece of data available at the touch of a button and we are directly or indirectly identifiable to the many sites and service providers which we rely upon (and many we don’t).

The press has been awash with examples recently of wholesale data breaches and of personal data being illegally accessed while entrusted by customers to organisations such as telecom service providers and banks.  A revamp of the data protection rules has long been overdue to make them fit for an increasingly digital, technological and globalised world, and to give enforcement more teeth.  Again, the impetus is coming from the EU with the aim of providing greater data protection for EU citizens.  The new General Data Protection Regulation (GDPR) will be directly applicable in all EU member states from 25 May 2018, by which time organisations that process our data will have to be compliant with the new requirements.  In the UK, the GDPR will replace the 1998 Act, Brexit notwithstanding, and the anticipation is that, following Brexit, the rules will be incorporated initially unchanged into national UK law.

The new Regulation is aimed both at harmonising and enhancing the regulatory framework governing data privacy and at transforming the approach that organisations take to protecting you and me (or ‘data subjects’, in tech speak) from infringements of privacy laws.  So how exactly will the GDPR strengthen data protection?  First, the requirement of consent to the use of personal data will be strengthened and made more transparent while at the same time making it easier to withdraw consent.

Secondly, both data controllers, who determine the purpose and means of collecting personal data, and data processors, such as cloud service providers, must comply with a strict notification policy: a data protection breach which poses a risk to individuals must be notified to the national supervisory authority within 72 hours and to affected individuals without undue delay.

Thirdly, the GDPR vests greater power in data subjects to obtain information on, gain access to, and exercise control over any personal information that is being processed about them and why; the ‘right to be forgotten’ will also be strengthened.

‘Privacy by design’ will become a legal requirement, meaning that controllers must incorporate data protection systems at the outset of their activities rather than to add procedures and frameworks at a later stage.

The GDPR will simplify and harmonise the role of Data Protection Officers and it will generally no longer be necessary to submit notifications and registrations to local Data Protection Authorities.

Importantly, the GDPR will extend data privacy for EU citizens beyond the physical boundaries of the EU: even if an organisation is located outside of the EU it must still comply with the GDPR requirements when processing the personal data of EU citizens.  The GDPR will enable substantial sanctions to be imposed on organisations found in breach of its requirements and in circumstances where there has been a serious infringement, fines of up to 4% of annual global turnover or €20million can be imposed, whichever the higher.  Let’s hope that these enforcement powers will be used to give real effect to data protection and privacy.  Not surprisingly, many organisations that collect and process personal data have already started to adapt to and implement the new regime.

Gregor Kleinknecht


Hunters Solicitors

This article was originally published in Discover Germany and can be accessed on page 124 here

Related News

Jan 30, 2023
Stephen Morrall and Sophia Smout examine the new rules on flexible working in People Management
Dec 12, 2022
Stephen Morrall comments on the new flexible working rights in Personnel Today
Oct 18, 2022
Stephen Morrall comments on gig economy rulings challenging pension enrolment in Law360
Sep 20, 2022
Stephen Morrall and Annabelle Woosnam discuss the legal rights for gig economy employees to a pension in People Management
Jul 06, 2022
Stephen Morrall and Annabelle Woosnam discuss pensions in the gig economy, in Employee Benefits
Feb 18, 2022
Gregor Kleinknecht discusses Trademarks, Design Rights and Copyright to Promote Business Growth and Innovation in University of Buckingham Press
Feb 11, 2022
Stephen Morrall comments on what COVID rules means for workers and employers in Mail Online, This is Money, Mail on Sunday, Daily Mail and MSN Money
Jan 14, 2022
Gregor Kleinknecht comments on the General Court clarifying the law on rights of representation before EU courts in Managing IP
Nov 30, 2021
Stephen Morrall and Aman Khokhar explore how employers can best determine worker status in People Management
Nov 17, 2021
Richard Baxter examines whether Brexit creates uncertainty for online software sales agents in Reports Legal

© Hunters Law LLP 2023 | Privacy NoticeLegal & Regulatory | Cookies Policy | Complaints Procedure.

Hunters Law LLP is authorised and regulated by the Solicitors Regulation Authority (number 657218)