GDPR: data protection version 2.0
The acronym GDPR does not exactly roll off the tongue, but anyone running a business, or processing personal data in any other capacity, whether as a charity, educational institution, membership organisation or employer, must familiarise themselves with it sooner rather than later.
The new General Data Protection Regulation (GDPR) is an EU Regulation that will take direct effect in all EU Member States, including the UK, on 25 May 2018. In the UK, the GDPR will replace the Data Protection Act 1998 (1998 Act). For the EU, the GDPR forms part of a bigger picture: the project of creating the digital single market. It is generally anticipated that, following Brexit, the GDPR will be incorporated into UK national law and continue to apply without significant changes.
The current data protection regime pre-dates the digital age with its social media platforms, cloud computing, e-commerce, online banking, content streaming, computerised patient records, etc, and was simply no longer considered fit for purpose in an increasingly online and globalised world. Moreover, large scale and well-publicised data breaches in the telecommunications and banking sectors have recently put data protection and security at the forefront of many consumers’, businesses’ and governments’ minds.
The GDPR is aimed both at harmonising and enhancing the regulatory framework governing data privacy across the EU, and at transforming the approach organisations take to protect citizens (called ‘data subjects’) from infringements of privacy law. The GDPR will provide greater data protection for EU citizens in an increasingly digital, technological and globalised world and should be welcomed. Examples where the GDPR will make a practical difference are data subject consent to data processing and profiling. Importantly, the GDPR recognises that data flows no longer stop at national borders. The new rules will therefore apply to the processing of personal data of any person who is in the EU, even if the data controller or processor is not established in the EU. In plain English, this means that social media companies based in the US will have to comply with the GDPR if they process the personal data of anybody who lives in the EU.
The UK is given an element of discretion as to the implementation of the new data protection regime, and can make additional provision in relation to some issues. One such issue is the age at which a child can validly consent to the processing of their personal data, where information society services are offered directly to that child.
Anybody who processes personal data must start preparing now. The Information Commissioner’s Office (ICO) is developing guidance on the implementation of the GDPR and has already published a very useful guide: Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now. Hunters Solicitors is working with clients to audit what personal information they collect and how they process it. The next step will be for the firm to assist clients with reviewing and updating their privacy and data protection policies, and their terms and conditions of business, to ensure compliance of their data processing and protection procedures with the new rules. Businesses must also start planning ahead for what should happen in the event of a data breach, and familiarise themselves with who they must report a breach to.
In order to reduce red-tape for small businesses, the GDPR includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the EU institutions and Member States, and their supervisory authorities – such as the ICO in the UK – are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of the GDPR. However, there will still be a need for organisations to learn about the changes and how to implement them – invariably, implementing changes will cause disruption during a transitional period.
Not being ready to comply with the new rules when they come into force will not be an option. In this increasingly security conscious world, companies will be at a major competitive disadvantage if they cannot guarantee customer/client data protection. Equally importantly, the GDPR enables large fines to be imposed for breaches of data protection rules, and permits individuals and groups to bring claims for compensation if they have suffered damage as a result of non-compliance. Acting now and developing a strong plan for implementing the new rules will be essential for all businesses.
Gregor Kleinknecht, Partner
Petra Warrington, Associate