(This article is the opinion of the author, and is not intended to constitute legal advice.)
— — — — — — — — — — —
Do you remember 1998?
That was the year US president Bill Clinton and Monica Lewinsky were in the news, the dot-com bubble was getting bigger, the DVD format was released onto the UK market for the first time and the highest grossing movie of that year was Titanic starring Leonardo DiCaprio and Kate Winslet.
Most importantly, it was also the year that the Data Protection Act 1998 became law in the UK, regulating the storage of personal data stored on computers or in paper filing systems.
You remember paper filing systems, right?
Data protection for the 21st century
In 2018, 20 years after the 1998 Act became law, the UK along with its EU partners will be updating the regulations around the management of personal data. The new regulations are called the General Data Protection Regulations (GDPR) and they will become law on 25th May 2018 (regardless of the country’s Brexit negotiations!).
There are a variety of reasons for this important and far-reaching update.
Clearly, the ways we process and manage personal data have changed considerably over the last 20 years. However, legislation did not always keep pace with these changes.
We are seeing a trend for more and more private, personal data being held and shared within and between companies. That trend is only going to continue for the foreseeable future. Furthermore, personal data is an increasingly valuable commodity and is of great value to criminals and to marketing companies, for example. In recent years we have also seen numerous serious data breaches which exposed weaknesses in the existing legislation. So, it is hardly surprising that many experts came to the conclusion that a review of the ’98 Act was long overdue.
GDPR — What you need to know
This is a relatively brief introduction and is designed simply to update managers in organisations preparing for the introduction of the GDPR. For managers responsible for leading those preparations it is recommended that they visit the UK Information Commissioner’s Office website which provides comprehensive guidelines on the GDPR and the preparations that organizations must make to comply with the regulations involved.
The legislation is complex and will impact on different companies in different ways. Importantly, it will impact on any company wherever they are in the world, that processes the personal data belonging to EU nationals.
So, any company in this position needs to be prepared for the introduction of the regulations in May 2018 and the earlier companies start preparing, the better.
With this in mind here are 7 key things that people working in organizations that handle the personal data of EU nationals need to be aware of.
1. Expect the General Data Protection Regulations (GDPR) to be impactful.
Businesses that process the personal data of EU citizens, regardless of where they are in the world, have until May 2018 to fully comply with GDPR. Companies found to be in breach of the Regulation after that date could find themselves facing substantial fines and the reputational damage they may suffer as a consequence should not be underestimated.
The implications of the legislation will be felt far beyond a company’s legal or IT departments. It will have implications across the organization including marketing, finance, human resources, and because breaches of GDPR may result in non-complying companies being fined, it will be felt in the boardroom too.
2. Company size
The amount of work each company will need to undertake in order to ensure that they comply with GDPR will depend on:
Number of employees — Companies with 250 or more employees will find that the legislation could involve a greater administrative burden than businesses with less than 250 employees.
Existing data protection processes — Businesses that are compliant with existing data protection legislation will find that there is far less work involved than companies will little or nothing in place. So, for example, new business startups will need to ensure that they are collecting personal data in a manner that is compliant with this legislation.
The UK’s Information Commissioner’s Office has produced a 12 step guide for companies to help them prepare for the introduction of the new legislation.
3. Handling of personal data
“Personal data” is defined as “any information relating to an identified or identifiable natural person” and that person is called the data subject.
A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Under the GDPR, non-complying organizations can face severe fines. This has the potential to be one of the most impactful areas of the Regulations. There are provisions in the legislation, for non-compliant businesses to receive penalties depending on the violation, of 2% or 4% of an organization’s total worldwide annual turnover during the preceding financial year.
The GDPR aims to give people genuine ongoing choice and control over how their personal data is used.
Organizations must be able to demonstrate that consent to store personal data was “freely given, specific, informed and unambiguous”.
Where an organization processes data belonging to children under 16 years in the UK (although the age may be as low as 13 in some EU states), then they must obtain parental consent.
The legislation establishes the following rights for EU citizens:
Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights related to automated decision making including profiling
Importantly, in addition to the express consent required from the data subject under GDPR, before their information can be processed, data subjects will have the right to withdraw their consent at any time
5. Privacy Impact Assessments (PIAs)
The Information Commissioner’s Office encourages a ‘privacy by design’ approach to data privacy.
This means that privacy should be a key consideration in the early stages of any project and for the duration of that project. Privacy Impact Assessments (PIAs) will:
i.) help identify the privacy risks involved in company projects
ii.) give companies the information required to respond appropriately where a PIA reveals that there is a potentially high risk of a privacy breach.
6. Appointing a Data Protection Officer
The GDPR outlines those situations where organizations must appoint a Data Protection Officer (DPO). These are where an organization carries out large scale:
i. systematic monitoring of individuals (for example, online behavior tracking); or
ii. processing of special categories of data, or data relating to criminal convictions and offenses
The requirement also applies to public authorities (except for courts acting in their judicial capacity);
7. Identifying the roles of data controllers and data processors
The GDPR recognizes that different businesses involved in the processing of personal data have different degrees of responsibility for, and involvement in processing of, personal data.
So, it makes the distinction between the roles and responsibilities of a data controller and of a data processor:
Data Controller — determines the purposes and means of processing personal data. The GDPR obligates controllers to ensure contracts with processors comply with the GDPR and to notify the Supervisory Authority, no later than 72 hours after having become aware of a data breach that is likely to result in a risk to the rights and freedoms of the person involved. In the UK the Supervisory Authority will be Information Commissioner’s Office (ICO).
Data Processor — processes personal data on behalf of a controller. The GDPR places specific legal obligations on processors including legal liability if they are found to be responsible for a breach. Where a data processor is responsible for a personal data breach, they must notify their Data Controller.
The Data Processor and the Data Controller can be a person, business or public authority. A Data Processor is under fewer obligations than a Data Controller and companies can be both Data Controllers and Processors.
The world has moved on a lot since the 1998 Data Protection Act became law in the UK. However, despite changes in technology it is important to recognize that GDPR is not an attempt to rewrite existing data protection legislation, it is simply intended to update and strengthen it.
This is good news for those companies that are complying with the 1998 Data Protection Act before GDPR becomes law. They will have robust foundations upon which to build and the road to compliance may well be relatively short.
However, it is those companies who have made little or no progress towards compliance by May 2018, due to negligence, ignorance, or the fact that they are newer companies, that may find complying with GDPR more difficult to achieve and have the most work to do.