February 2018
By Howard Kennedy LLP
The EU General Data Protection Regulation (GDPR) is the biggest change to data protection law in 20 years. Practically every aspect of the old law has been overhauled and modernised. Businesses will need to adapt before the GDPR comes into force on 25th May 2018. As the UK will still be a member state of the EU on this date, the GDPR will apply directly, without the need for further implementation.
The government has confirmed that the GDPR will be incorporated into the UK's domestic law on leaving the EU and must be complied with, irrespective of Brexit.
We've identified 10 of the biggest changes the GDPR will make to current law, which we recommend you take account of and seek professional advice on.
1. Scope
Where a business is based outside of the EU, but offers goods and services to individuals in the EU, or monitors their behaviour, the GDPR will apply. This puts obligations on data processors (organisations which work with personal data on behalf of other organisations) as well as data controllers. If you are established outside the EU (including in the UK, following Brexit) your contracts will need to be revised.
2. Accountability and transparency
The requirement to register (notify) with the Information Commissioner's Office (ICO) will be scrapped. Instead, you will have to keep full records of any data processed, including the type of data and the purpose it is used for. You will also need to give much more detailed notices to people you collect information from.
3. Data protection officers (DPO)
You may need to designate a data protection officer (DPO) to take responsibility for data protection compliance. Their tasks will include liaising and cooperating with supervisory authorities and monitoring compliance. The DPO will need sufficient expert knowledge of data protection law and practices to conduct Privacy Impact Assessments and ensure appropriate policies are in place.
4. Consent rules
Consent to processing of personal data must be freely given, specific, informed, unambiguous and displayed by a statement or by a clear affirmative action. Individuals have the right to withdraw consent at any time.
5. Transfers out of the EEA
Parallel legal developments to the GDPR have made this a very hot topic. The old ‘Safe Harbour’ scheme is no longer effective to transfer personal data to the USA and has been replaced by a new EU/US ‘Privacy Shield’.
6. Subject access requests
The rules governing subject access requests will change. You will not be able to charge for complying with a request and will have a month to comply, rather than the current 40 days.
7. Data portability
A new concept of data portability has been introduced to enable data subjects to transfer personal data in a commonly-used electronic format between data controllers, so as to switch between service providers more easily.
8. Right to be forgotten
An individual can require that their personal data is erased if it is no longer necessary, if consent is withdrawn and on grounds relating to the individual’s “particular situation”.
9. Breach notification
A mandatory breach notification scheme is to be imposed. Breaches (accidental or unlawful loss, alteration or unauthorised access to personal data) must be reported to the ICO within 72 hours and possibly also to the individuals whose data has been compromised.
10. Fines
A two-tiered sanctions regime will apply. Certain breaches will attract a fine of €10m or 2% of global annual turnover, whichever is greater. Fines for more serious breaches will be as much as €20m or 4% of global annual turnover. The ICO can also impose a total ban on data processing by the organisation found to be in breach of its obligations.