This month, after much uncertainty since the vote for Brexit, the Government has confirmed that the UK will implement the General Data Protection Regulation (GDPR) when it comes into force on 25 May 2018.
The GDPR is a complete overhaul of the existing data protection regime, a regime which was created some 20 years ago when technology and personal data were used in very different ways. The changes introduced by the GDPR are extensive, none more so than the fact that, for the first time, it places statutory obligations on data processors as well as controllers.
Some of the key changes created by the GDPR include:
- Wider territorial scope - applying European data protection laws to certain organisations based outside the EEA.
- Breach reporting - for the first time there are express obligations, subject to some exemptions, to report data breaches to both regulators and affected individuals.
- Increased fines - currently the ICO can issue a maximum fine of up to £500,000 per breach. The GDPR creates two tiers of fines: the first for procedural breaches is the greater of 2% of global turnover or €10 million; the second for more serious breaches is 4% of global turnover or €20 million.
As mentioned above the GDPR attempts to address advances made in technology over the 20 years. An example of this is the definition of personal data being extended to include location data, and online identifiers, and the definition of sensitive personal data being extended to include biometric data and genetic data.
Consent and the standard to which it is held has also been overhauled. There are more prescriptive requirements for obtaining consent. Silence, pre-ticked boxes or inactivity do not constitute consent under the GDPR. It must also be as easy for individual data subjects to withdraw as it is to give consent. Organisations that currently use pre-ticked boxes on their online consent forms or hide such consent away in privacy policies will need to update and refresh these to ensure compliance with the GDPR. It is important to remember that consent is not the only condition that organisations can rely on for processing personal data, and with this increased ability to withdraw consent it is worth considering what other conditions for processing are available to an organisation!
In preparation for 25 May 2018, organisations should review existing policies and procedures, increase training, consider existing contracts and look to vary where necessary. Identify any of non-compliance using updated risk registers and implement a mitigation
strategy as soon as possible to avoid potential sanctions in the future.
The Secretary of State's confirmation provides businesses with some welcome certainty and will now hopefully focus minds on the process of overhauling organisations data protection compliance, in time for the 25 May 2018 deadline.