The General Data Protection Regulation (GDPR) has been in the making for the last five years and its implementation is now slowly creeping up on us. When incorporated into UK law it will be the major piece of legislation governing data protection and the biggest shake up since the Data Protection Act came into force in 1998. As our solicitor reported in his article Data Protection in the 21st-Century the GDPR will come into force on 25th May 2018, with no grace period beyond that. He noted that “preparation was key!”
The original Data Protection Principles from the Data Protection Act will by and large remain in place, however the GDPR introduces a number of key changes for businesses and organisations to bring data protection up to date with the advancements in technology since 1998.
Firstly, there is a new “transparency” requirement for data processors when handling and collecting personal data. A business must provide details of its procedures at the point of collecting data i.e. at the outset. For example when a firm of solicitors takes on a new client, the engagement letter should set out in a concise, transparent and intelligible form the how, when, where, what and why of data processing. This should include the purpose and legal basis for processing information, the types of personal data that will be used and why it is needed. Businesses also have to confirm with whom personal data will be shared with and for how long personal data will be kept.
A major change from the old regime to the new involves the matter of consent. Very few people have been fortunate enough to have avoided the pitfall of missing to tick the box that gives a company “consent” to share information. This will be no more. The checkbox trick was an easy opportunity to obtain consent to share personal information online or on an application form. Under the GDPR consent must be freely given, unambiguous and involve clear affirmative action. In short, the person involved must give their explicit consent for the information to be shared. If they do not, and information is shared, they may be held in breach of the new rules. This should ensure better protection of the persons whose data may or may not have been shared in the past.
Companies must now have policies and measures in place to enable them to prove compliance with the GDPR. This will involve keeping documentation to demonstrate to the Information Commissioner’s Office that they are complying with the GDPR. Though this may mean more paperwork for businesses, the intention of the GDPR is to provide better protection for individuals. Businesses will now more than ever require to keep documentation available to show compliance and processing including the name and contact details of their clients, the purpose for processing the information, who personal data will or was shared with, how long the personal data is kept, and a summary of data security measures that the company has. Protection of the data subject however is of the utmost importance.
The GDPR deals with data security. Businesses and service providers must now devise and implement the appropriate security measures to protect data that they process on behalf of clients and customers. The Data Protection Act was not silent on data security, but given the astronomical advancements in technology, and unfortunately the ability of hackers, the rules surrounding data security required updating. The GDPR requires the data processor to consider their measures having regard to how state of the art their systems are; the costs involved in implementing security measures; the nature, scope, context and purposes of processing and the risks for data subjects.
In the event of a data protection breach the Information Commissioner’s office must be notified within 72 hours if the breach is likely to put the data subject at risk. Best practice would be to notify the ICO (and the subject) immediately, but in any event this must be done within 72 hours. Most organisations should have a nominated data protection officer to deal with breaches.
Organisations who utilise service providers, such as lawyers using medical experts, are required to engage with those service providers to put in place data security measures and to comply with the GDPR. Service providers must delete or return personal data to the organisation at the end of their contract. As always for the purpose of audit from the information Commissioner’s office and evidence trail for this must be able to be provided if required.
Finally people whose data is held by an organisation will have a number of new rights when the GDPR is given effect into UK law. A data subject now has the right:
- to demand to receive a transparency information that has not been provided;
- to rectify data held by them without the need to go to court;
- to restrict processing of data relating to them;
- to be forgotten;
- to data portability, for example to have all data stored relating to them ‘packaged up’, and taken to a new processor; and
- to have a person make a decision over an automated decision – the data subject can demand that a human take a decision instead of a computer.
The sanctions for breaches and failing to comply with the GDPR are worthy of note – previously, the maximum fine was £500,000, come May 2018, it will be up to 4% of global annual turnover or €20million, whichever is the greatest! While the level of fine will depend on the nature, duration and gravity of the breach, those figures alone must be enough to get us starting our preparation for May!