A major milestone in EU data protection law was marked when the General Data Protection Regulation (GDPR) came into force just before the EU Referendum.It is a huge piece of legislation set to replace the UK’s 1998 Data Protection Act from May 2018 and marks a tough new era in EU-wide data protection, with new powers for data regulators and much stricter operating boundaries for businesses that process personally identifiable information about individuals.
For UK companies imagining that Brexit will have changed the need for them to comply, there’s a warning that they ignore the new requirements at their peril, as they’re likely to find they have to comply with the Regulation or a UK version in a very similar form. Getting the upgraded systems and processes in place will take time, and they risk otherwise missing out on future trading.
The over-arching aim of the new Regulation is to harmonise data protection across all EU member states, and being an EU Regulation, rather than a Directive, it becomes law without the need for any national legislation in the 28 individual EU countries. It should make it simpler for everyone, including non-European companies, to comply with data protection. It comes at a cost, however, with greater responsibilities for data processors and with severe penalties of up to 4% of worldwide turnover for non-compliance.
Jonathan Waters, corporate partner at Hay & Kilner commented:
“UK businesses, whatever their size, which trade in the EU, or want to be able to transfer personal data in from the EU, should be looking to adopt GDPR as a minimum standard.
For any trading relationship between the UK and the EU, our data protection law will need to be broadly equivalent. If we were to stick with the current 1998 Act, we could expect other countries to view our regime as providing insufficient protection”.
The main provisions of the GDPR include:
Consent: In future, an individual will have to make a positive action that demonstrates their consent, in order for their data to be collected. The consent can be withdrawn at any time, as individuals have ‘the right to be forgotten’ and can also transfer their data elsewhere if they choose.
There will also need to be separate consent for the processing of data for a new purpose, beyond that for which it was originally collected.
Transparency: More information will be required by the processor from the outset about how data will be used and how long it will be kept for.
Accountability: There is a shift from risk management to compliance. So in future, organisations will have to be able to show that they are actively complying with the GDPR.
Data Protection Officer: A specialist Data Protection Officer will be an obligatory appointment for most public bodies and for any organisation controlling or processing data where core activities involve ‘regular and systematic monitoring’ of data subjects ‘on a large scale’.
Breaches: There will be a statutory obligation to notify the regulator and the individuals affected, if there is any risk to an individual’s personally identifiable information as a result of any breach. Fines will be imposed for breaches, up to a maximum of €20m, or 4% of total worldwide turnover for businesses, for serious contraventions.
Children: No one under 13 can give their consent to the processing of personal data in relation to online services, and so parental consent must be obtained.
The situation may be further complicated during the transition process, as until the UK has data protection laws which the European Commission recognise with a formal adequacy decision, companies that move personal data from the EU to the UK would need to implement some other mechanism, such as standard contract clauses approved by the Commission.
If you would like to discuss any of the points raised in this article, please contact Jonathan Waters, corporate partner at Hay & Kilner
Call: 0191 232 8345