A major milestone in EU data protection law was marked when the General Data Protection Regulation came into force just before the EU Referendum. A huge piece of legislation that was set to replace the UK’s 1998 Data Protection Act from May 2018, it marks a tough new era in EU-wide data protection, with new powers for data regulators and much stricter operating boundaries for businesses that process personally identifiable information about individuals.
But for UK companies imagining that Brexit will have changed the need for them to comply, there’s a warning that they ignore the new requirements at their peril, as they’re likely to find that they have to comply with the Regulation, or a UK version in a very similar form. Getting the upgraded systems and processes in place will take time, and they risk otherwise missing out on future trading.
The over-arching aim of the new Regulation is to harmonise data protection across all EU member states, and being an EU Regulation, rather than a Directive, it becomes law without the need for any national legislation in the 28 individual EU countries. It should make it simpler for everyone, including non-European companies, to comply with data protection, but it comes at a cost, with greater responsibilities for data processors and the maximum level of fine for non-compliance increasing from £500,000 to the greater of 4% of global turnover or €20 million!
One of the biggest changes is that the Directive applies to any business processing personally identifiable information about EU citizens, not just to businesses based within the EU. This means that any UK business that is trading with EU citizens will be affected, as will anyone who transfers personal data from the EU to the UK, for processing or storage.
In terms of what will happen after Brexit, the Information Commissioner has stated that, irrespective of Brexit, the “underlying reality on which the policy is based has not changed” so we can expect to see any new legislation which is brought in by the UK Government to be equally as stringent.
The situation may be further complicated during the transition process, as until the UK has data protection laws which the European Commission recognise with a formal adequacy decision, companies that move personal data from the EU to the UK would need to implement some other mechanism, such as standard contract clauses approved by the Commission.
“In a world of competing priorities, data protection is not always a key business focus, but businesses will need to make sure that they understand the changes that the GDPR will make and check that their approach to data protection is up to scratch. We recommend that UK businesses, whatever their size, who trade in the EU or want to be able to transfer personal data in from the EU, use the requirements of GDPR as a minimum standard to be applied to their business. ,” explained corporate legal expert Diane Yarrow of solicitors Gardner Leader LLP.
“For any trading relationship between the UK and the EU, our data protection law will need to be broadly equivalent. If we were to stick with the current 1998 Act, we could expect other countries to view our regime as providing insufficient protection.”
The main provisions of the GDPR include:
Consent – currently, much data is collected on the basis that individuals will choose if they wish to opt out. In future, an individual will have to make a positive action that demonstrates their consent, in order for their data to be collected. The consent can be withdrawn at any time, as individuals have ‘the right to be forgotten’ and can also transfer their data elsewhere if they choose.
There will also need to be separate consent for the processing of data for a new purpose, beyond that for which it was originally collected.
Transparency – more information will have to be provided by the processor from the outset about how data will be used and how long it will be kept for, as organisations must not hold on to data for any longer than absolutely necessary.
If it’s going to be stored outside the EEA, details must be provided of where it will be stored and what safeguards will be in place.
Accountability – there is a shift from risk management to compliance so in future, organisations will have to be able to show that they are actively complying with the GDPR, not just identifying risks or responding to breaches as they occur. They will also have to demonstrate that privacy is considered at every stage of their operations.
Specialists – A specialist Data Protection Officer will be an obligatory appointment for most public bodies and for any organisation controlling or processing data where core activities involve “regular and systematic monitoring” of data subjects “on a large scale”. For an organisation that sub contracts its processing, there is a high duty of care imposed in selecting their data processing provider with procurement processes to be followed and regular ongoing reviews once appointed.
Breaches – currently some breaches may be managed internally without reporting, but in future there will be a statutory obligation to notify the regulator – the ICO in the UK – and the individuals affected, if there is any risk to an individual’s personally identifiable information as a result of any breach. Fines will be imposed for breaches, up to a maximum of €20m, or 4% of total worldwide turnover for businesses, for serious contraventions.
Children – No one under 13 can give their consent to the processing of personal data in relation to online services, and so parental consent must be obtained. Member States are free to set their own rules for those aged 13-15, if they do not, then parental consent will be required for children under 16.
The overriding message is that notwithstanding Brexit, businesses need to start thinking about the GDPR. Our Commercial Team can help business to achieve peace of mind by ensuring that the management understand the regulatory landscape and how it applies to the business, helping to implement changes that need to be made and offering training to staff to explain why this is important. Should something go wrong, we can also help businesses to manage the consequences and minimise the impact on to the business.