Data protection law has been updated by the European Union and will be in place in less than a year. Despite the Brexit vote, businesses need to note the changes, as the penalties for breaches will be severe and adjusting to the new rules will take time. Adam Bernstein explains the situation.
The EU’s General Data Protection Regulation (GDPR) was finalised at the end of April 2016 after four years of discussion, disagreement and negotiation, and will directly affect all member states from May 2018. Firms have no choice – the GDPR is not going away.
But a question arises: now that we’re scheduled to leave the EU, will the GDPR still matter? The answer is yes – it will.
Andrew Gallie, a Senior Associate at Veale Wasbrough Vizards specialising in information and data protection law, says the GDPR is not a monster but it needs to be taken seriously. Andrew said: “Changes will be required, and if the required changes are not made then firms risk considerable fines and reputational damage. Indeed, under the GDPR, those organisations that breach the law could face a fine of up to 4% of annual worldwide turnover or €20m (whichever is the greater).”
These penalties do seem geared to the larger firm, but a quick search of the Information Commissioners Office (ICO) website – the UK enforcer of data protection law – shows that organisations of all sizes are being taken to task.
For example, in July 2013, Tameside Energy Services was fined £45,000 by the ICO for making thousands of nuisance calls concerning the Green Deal.
Another instance is when boiler replacement company, FEP Heatcare, which was listed as one of Britain’s most complained about nuisance callers, was fined £180,000 by the ICO in March 2016 due to the comapny making 2.6 million unwanted calls playing a recorded message promoting the company’s products and services.
These cases were just some of those dealt with by the ICO recently – all it takes for the ICO to become interested is one complaint.
The present data protection regime, under the Data Protection Act 1998 (DPA), protects a person’s rights in respect of their personal data and is built upon eight data protection principles.
These are all common sense and require that personal data is: processed fairly and lawfully; obtained and used for specified and lawful purposes only; adequate, relevant and not excessive in relation to their purposes; accurate and up-to-date; not kept for longer than is necessary; processed in accordance with the individual’s rights; kept secure; and not transferred outside of the European Economic Area without adequate protection.
Apart from these, Andrew says there are other points to note about the present law: “The first is that there are extra obligations when handling sensitive personal data, such as information about ethnic origin, sexual life, trade union membership etc. Further, individuals have the right via a subject access request to find out what information is held about them.”
Individuals will have the right to know what is going to be done with their data, and if it is going to be shared with anyone. A website privacy notice can tell people about this.
Andrew says that, under the GDPR, there is additional information which must be provided: “Firms will need to tell data subjects users the legal basis for processing their data, the data retention period, and of their right to complain to the ICO. There is also a requirement that the privacy notice is concise, easy to understand and in clear language.”
The GDPR confers new rights such as having inaccuracies corrected, to have information erased, to prevent direct marketing and a right to data portability (because of this, firms will have to provide data electronically).
Presently, firms have 40 days to respond to a subject access request but under the GDPR, this will drop down to a month. On this, Andrew says: “Refusing a request will require a firm to have appropriate policies and procedures in place. There will also be obligations to provide additional information, such as data retention periods, and the right to have inaccurate data corrected.” For many, the most challenging area under the DPA is that of consent and Andrew says that consent to use personal data cannot be inferred from silence, pre-ticked boxes or inactivity: “The GDPR requires that consent must be freely given, specific, informed and unambiguous. If a firm is going to rely upon ‘implicit consent’ then it must be ready to deal with a challenge as to how unambiguous the consent was.”
There is presently no general obligation to report any data breaches but the GDPR radically changes this and creates an obligation to report data protection breaches which could cause an individual harm within 72 hours.
“Firms should consider how they would deal with this new obligation,” says Andrew. “They should be asking: how secure are their systems? What training do staff have? Do the procedures in place around data breaches allow these obligations to be met?”
One solution to compliance is obvious, reckons Andrew – “appointing a capable, interested person with the responsibility for ensuring that the obligations are met.”
The GDPR is a real and present threat to firms and organisations of all sizes and the financial consequences for ignoring the new rules are severe. However, those that plan ahead and who choose to follow their obligations should have little to worry about.