19 July 2016
Upholding higher data protection standards is essential for building and maintaining trust in business
On 24 May 2016, the European Union’s General Data Protection Regulation (GDPR), designed to protect how people’s personal data is processed and moved, became law. The UK was due to apply the regulation by 25 May 2018, but now that the UK has voted for Brexit, the question arises as to whether or not we still need to comply with this law and, if not, what this means for people’s personal data in the UK.
As we have not yet started the formal process of leaving the EU, it is unclear how closely the UK will be involved with the EU system in the future. If we remain within the single market, EU rules on data might continue to apply fully in the UK. If we do not, EU rules will need to be replaced with national ones.
That said, GDPR’s jurisdictional rules reach outside the EU when ‘data controllers’ offer goods or services to, or monitor, ‘data subjects’ in the EU. It is highly likely, therefore, that any country wishing to share data with EU member states, or wishing to handle an EU citizen’s data, will need to demonstrate an adequate level of data protection.
The UK’s Minister for Data Protection, Baroness Neville-Rolfe FCIS, has stated that this will be a major consideration in the UK’s negotiations going forward and that close contact will be maintained with the EU’s Information Commissioner’s Office (ICO).
If we are still part of the EU when GDPR comes into force, companies will need to make a number of significant changes to the way they treat personal data. First and foremost, there will be tighter rules for consent and companies will need to gain explicit consent from customers before processing their personal data.
Customers can withdraw their consent at any time and companies must inform them that they have the right to be forgotten or to restrict their data, the right to object to processing and the right to file a complaint with the relevant data protection authority. Working out how such things will affect individual businesses and making the associated system changes, such as handling requests from people to access to their data without undue delay (at the latest within one month) will be complex.
There will be stronger accountability obligations and it is highly likely that businesses’ reliance on internal and external guidance will increase as a risk-based approach to data protection is being applied.
Direct obligations for ‘processors’ and more obligations for controllers are being introduced. With processors becoming directly subject to the regulation, they would be wise to consider what liability they can and should bear, and what can be passed back to clients and customers.
The regulation of the relationship between controller and processor is likely to pose a great challenge, especially with regard to the allocation of liability in the case of data breaches.
With regard to data breaches, the maximum level of penalties will increase (up to 4% of an undertaking’s global turnover, or €20 million) and fines will be tiered according to the nature of the infraction. Furthermore, data breaches have to be notified to the supervisory authorities within 72 hours, and to those affected ‘without undue delay’ unless there is no risk for the data subject.
Organisations will therefore need to have adequate systems in place for identifying breaches and a clear policy and procedure of what to do in the case of a data breach. This will be of particular relevance to controllers using third parties for cleaning, copying and storage where the likelihood of a breach might be increased.
There is a new mandatory requirement to have a data protection officer (DPO) in public authorities or bodies; and where the controller and/or processor is involved in a) regular and systematic monitoring of data subjects on a large scale or b) large scale processing of special categories of data and/or data relating to criminal offences.
The DPO reports directly to the executive board, must be able to operate independently and cannot be dismissed for performing their tasks. The DPO must be someone with sufficient expert knowledge of data protection law as they will advise on and monitor compliance with the regulation and act as a contact point for the regulator and customers making subject access requests.
A potential issue here could be a lack of suitably experienced people, so it is worth companies considering what staffing requirements they might have now. They should also consider if they want to appoint a single DPO for the whole business or have individual DPOs for each legal entity and/or jurisdiction.
Tighter rules to ensure that privacy is ingrained into data collection processes from the outset and any risks highlighted upfront, mean that controllers and processors must carry out data impact assessments if processing presents a high risk to the rights and freedoms of the data subject – as might be the case when processing involves new technologies.
Processing and personal data should be limited to what is necessary and linked to its purpose (data minimisation and storage limitation principles). There is a new obligation to keep internal records of all processing operations.
Regardless of whether or not GDPR comes into force, legislative changes that strengthen the rights of individuals are likely to be necessary. The current UK Data Protection Act has been in place since 1998, since which time the digital landscape has changed considerably. £1 of every £5 earned by UK companies now comes from the internet and personal lives, reputations and livelihoods are much more entwined with technology.
Every time people shop online, open a bank account or join a social networking website, personal information is handed over. If that information is lost or misused, organisations not only breach people’s rights and invade their privacy, they run the risk of losing their trust and their business.
A recent survey by the UK ICO found that only one in four people trust companies with their personal data. High street banks are trusted by 53%, but this drops to 36% for government departments, 32% for high street retailers and just 22% for internet brands.
People want easier access to their own personal data and to feel that they have complete control over the information they provide online. They do not want their information stolen by criminals, used to make nuisance calls or sold to other companies for marketing.
Whatever the outcomes of our negotiations with Europe, the needs of UK citizens and businesses will need to be met so that information is not just used fairly and lawfully, but is kept safe and secure. Customers and stakeholders’ expectations are higher than ever. Upholding higher standards is essential for building and maintaining trust.
Assuming that the UK will need to comply with GDPR, companies should consider the following: