With Data Protection reform now on the brink of being finalised, now is the time to think about what steps you should take to get ready for the new EU General Data Protection Regulation (“GDPR”).
On Tuesday, 15 December 2015, the three EU law-making institutions, the European Commission, Council of Ministers and the European Parliament concluded the “trilogue” negotiation process, resulting in a consolidated text of the GDPR, almost four years after the GDPR was first proposed by the European Commission in January 2012.
The European Parliament’s Civil Liberties, Justice and Home Affairs Committee approved the consolidated GDPR text on Thursday, 17 December 2015, transforming the EU Data Protection landscape going forward. All that now remains is for the European Parliament and the Council of Ministers to formally adopt the consolidated GDPR text in early in 2016. The GDPR will come into effect two years later, in 2018.
The GDPR represents the most significant overhaul of Data Protection legislation for over 25 years, with important updates to the DPA, including:
- the GDPR will replace the existing patchwork of national Data Protection laws within EU Member States, resulting in a single Data Protection law across the EU. This provides organisations operating across the EU with legal certainty and consistency but it also means that all EU Member States now have a consistently high standard of Data Protection;
- it applies to organisations based in the EU and those not based in the EU who collect personal data from EU citizens when providing services to EU citizens;
- Data Protection statements included within forms and correspondence will need to be more comprehensive and set out additional information, including how long the personal data will be retained and details of individuals’ rights and the right to complain to the Information Commissioner’s Office (“ICO”);
- organisations will be required to undertake privacy impact assessments where they intend to process personal data in a manner that is likely to result in a high risk for the rights and freedoms of individuals, for example, profiling via wearable technologies;
- organisations will not be able to rely on individual consent alone to justify use of personal data where there is a significant power imbalance between the organisation and the individual, such as where the individual is an employee or service user of the organisation or the organisation is a public authority;
- if the individual’s consent to the use of their personal data by a organisation is given in a document and that document concerns other matters, such as an employment contract, the consent statement will need to be distinguishable from the other content;
- a higher standard of consent applies, in terms of which an organisation relying on consent to justify the processing of personal data will need to demonstrate that the consent is freely given, specific and informed and is an unambiguous indication of an individual’s wishes by means of either a statement or clear affirmative action;
- EU Member States are to be given discretion in relation to the age at which parental consent will be required to the processing of personal data concerning children. The initial proposal was that such consent would be required from children below the age of 13, which is consistent with the approach adopted by most online service providers, but the final text provides for parental consent to be required for children under the age of 16, unless an EU Member State’s law requires a lower age, which cannot be below 13 years of age;
- organisations will need to respond to requests for access to personal data received in electronic format if the request was made in that format. Organisations will not be able to charge for responding, unless the request is manifestly excessive. A response must be provided within one month of the request – a reduction on the current 40 calendar day deadline;
- individuals will have a right to request a copy of their personal data from one organisation in commonly used electronic format for further use of that data by another organisation. This could be used where an employee moves from one organisation to another;
- some private sector organisations and most public authorities will be required to appoint a Data Protection officer, who is required to have suitable professional qualities and expert knowledge on Data Protection matters. Data Protection officers will act as the public “face” of an organisation relative to Data Protection matters and advising the organisation on Data Protection compliance matters;
- data breaches are to be notified within 72 hours of knowledge of the same to the ICO and, where the breach puts individuals’ data at risk, to the individuals concerned. The notification must include a number of details about the breach, including the measures that have been implemented to mitigate the possible adverse effects of the breach;
- annual Data Protection registration with the ICO will be abolished. However, in return, the ICO will have more extensive powers of audit and organisations will need to maintain comprehensive audit trails available for inspection by the ICO; and
- fines for non-compliance depend on the nature of the breach, with organisations being subject to a fine of up to 4% of their annual global turnover for the previous financial year for the most serious breaches involving .
What should we do now?
While 2018 might seem far off, organisations should now consider what changes are required to ensure compliance with the GDPR.
Practical steps to take now include:
- complete a Data Protection audit to determine the compliance levels with the Data Protection Act 1998 (“DPA”);
- ensure compliance in all respects with the DPA. If an organisation cannot tick all of the DPA boxes now, it will struggle to comply with the new GDPR, which provides for higher standards of Data Protection;
- provide staff and with Data Protection training;
- review existing forms and correspondence and any other Data Protection statements used elsewhere within the organisation;
- implement a data breach management policy to contain the impact of any data breach;
- adopt a higher standard of data security by limiting access to personal data within the organisation, use encrypted e-mail for communication of personal data and monitor the network to minimise the risk of threats entering the organisation’s system; and
- consider cyber insurance, which offers protection from some of the financial consequences of a Data Protection breach.
How we can help
To discuss any of the issues raised in this article or find out more about the DPA could affect you, please get in touch