In January 2012, the European Commission proposed a comprehensive reform of data protection rules across the EU. A general approach on what these changes were to look like was agreed in June 2015 and now after several years of negotiation the regulation has been adopted.
The legislation will be directly applicable in all EU Member States from 25 May 2018, applying to data controllers and processors both inside and outside of the EU if they are that processing the personal data of EU residents. Personal data is any information relating to an individual and can be anything from a name or photograph to a post on Facebook or Twitter.
The rules will apply in all member states and they require each to set up an independent Supervisory Authority to investigate complaints and sanction offences. Where a business has multiple establishments in the EU, its lead authority will be that based in the location of its head office and this authority will provide supervision for all data processing activities for its operations across the EU.
What are the key changes?
The regulation is founded on current data protection legislation (the Data Protection Act) but introduces some distinct differences and will require firms to put in place some new procedures in order to comply:
Right of Challenge- people now have the right to question and oppose decisions made against them on an algorithmic basis.
Privacy Settings– privacy settings must be set at the highest level possible by default – this aspect of the regulation is aimed specifically at addressing data security and social media.
Specific Consent- Consent must be secured for both the collection and the purpose of collection and for children under 16 the child’s parent or custodian must consent. Consent may also be withdrawn.
Data Protection Officer (DPO)- Where a businesses core activity requires regular monitoring of data and data subjects, they must employ an expert in data protection. This person should assist with and monitor compliance of the new regulation and is expected to manage critical IT processes, data security and issues surrounding the processing of personal and sensitive data.
Data Breach- The DPO is under a legal obligation to notify the Supervisory Authority of any breach that has occurred and if an individual has been adversely impacted as a result of the breach the individual will have to be notified.
Right to Erase– A person has the right to request that personal data is erased on a number of grounds which stem from the fundamental right to protection of personal data. These include:
- If the personal data is no longer necessary for the purpose for which it was originally collected
- If the subject withdraws consent
- If the subject objects to the processing and there is no legitimate interest for continuing the processing
- If the data was unlawfully processed
- If the data has to be erased in order to otherwise comply with a law
- If the data relates to information provided whilst purchasing an item on-line.
Other– Several other areas have been enhanced including requirements for fair processing notifications, Binding Corporate Rules to govern intragroup data transfers and strengthened international transfer protocols.
What happens if you do not comply?
The sanctions for falling foul of the regulations can be quite severe and may range from a written warning to a fine of up to €20,000,000 or 5% of the firms total worldwide annual turnover of the preceding financial year, whichever is higher.
What should your organisation do?Our advice is be prepared.
2018 is not that far away and even with Brexit, British firms will have to comply with the GDPR if they want to trade with their European neighbours. Whenever you are reviewing internal protocols remember and provide for data protection considerations, these should be built into your business processes, products and service development. Start thinking about how your business will (or whether you already have someone in your business that can) perform the function of DPO, and start planning how your business will support and enfranchise this role. Remember, under the legislation the DPO is a discrete role and while related to, and likely to have much interaction with your Compliance Officer, the role they perform and the expectations of these roles are not the same.
The GDPR places firm accountability obligations on data controllers and so the maintenance of documentation is key. In September 2016 Britain’s new Information Commissioner indicated that regardless of Britain’s place in Europe, business innovation must be underpinned by robust data protection. In the same month, both the Managing Director and Director of Technical Delivery, at renowned loss adjusting firm Woodgate & Clark were charged by the Information Commissioner’s Office with four counts of data protection breach. Data protection continues to be an area requiring investment and technical “know how” both the ICO and the FCA are demanding firms treat data breach as a serious issue and with seemingly increased scrutiny and penalties for failure to resolve violations of data protection, firms need to stay ahead and abreast of legislation.