The General Data Protection Regulation (GDPR) has caused a real stir amongst organisations (both public and private). Whilst the Data Protection Act 1998 did not attract great interest in the commercial world when it came into force the GDPR, with its enormous maximum penalties (20 million Euros or 4% of worldwide GDP), is causing all sectors to wake up to the impending necessity to engage with data protection requirements.
There has been speculation as to how the onerous requirements of the GDPR will apply following Brexit. However, the Information Commissioner’s Office (ICO) has been clear throughout; the GDPR will apply in any event. Essentially, the ICO’s view is that we live in a world that has changed beyond all recognition in terms of technology, data usage and access to data. To keep up with this changing world, more effective and up-to-date legislation is required to ensure that individual rights are respected and that both public and private sector organisations have appropriate systems, processes and training in place to protect these rights.
The Data Protection Bill, which will replace the Data Protection Act 1998, has been drafted to provide clarity in relation to UK law, both in respect of those sections of the GDPR that allow for local variation and to avoid any confusion relating to the effect of Brexit. The Bill actually goes further than required by the GDPR in relation to law enforcement and the application of data protection to the intelligence services. The Bill had its first reading on 13 September, had its second reading on 10 October and was debated in Parliament on 12 October 2017. It is intended that Bill will come into force by 25 May 2018. In particular it will have the effect that the GDPR will be incorporated into UK law regardless of Brexit.
1. The key changes to existing UK law are:
a. Much tougher reporting and notification obligations
Under the existing legislation in the UK, there is no legal obligation to report data breaches to the Information Commissioner. The Bill includes a mandatory reporting requirement. Data controllers will have to notify the Information Commissioner (where feasible), not later than 72 hours after becoming aware of the breach, unless they are able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of the data subjects concerned.
Notifications must also be made to data subjects “without undue delay” if the breach is likely to result in a high risk to their rights and freedoms.
The right to be forgotten
b. When a data subject no longer wants their personal data to be processed and there are no legitimate grounds for retaining it, the data must be deleted. Consumers will be able to ask businesses and organisations for access to their personal data and for it to be deleted, giving them more control over how their information is removed.
c. UK law will extend the GDPR by requiring social media companies to delete all of a person’s posts from before they were under 18, if they request this.
A new right of data portability
d. A new right for data subjects making it easier to transfer personal data between service providers. On request, a data controller must:
i. provide the data subject with a copy of their personal data which was provided by them to the data controller (not data which has been generated by the data controller itself) in a structured, commonly used and machine readable format; and
ii. not hinder the data subject’s transmission of personal data to a new data controller.
iii. where technically possible, a data subject also has a right to require that their personal data is transmitted directly between data controllers.
Easier access to one’s own data
e. Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way.
Application to both data processors and data controllers
f. The law will generally apply to data processors and data controllers, whereas previously the focus was very much on data controllers.
Mandatory appointment of Data Protection Officer
g. There is a requirement for the mandatory appointment of a Data Protection Officer for all public authorities (other than the courts), and companies that process large scale or particular categories of personal data.
Wider definition of personal data
h. The definition of personal data will be greatly expanded to reflect new types of data that were not covered by the 1998 regulations. These include IP addresses (used to identify a telephone or computer visiting a website), internet cookies (data about web browsing habits) and DNA. This follows concerns that internet browsing records are increasingly being used for marketing purposes.
Explicit consent required in more circumstances
i. At present, many websites force visitors to opt out of being added to email and phone call lists by ticking boxes at the end of online forms. Consent to privacy policies, which web users will merely read, is often assumed. The Bill will require consent to be explicit. People will have to opt in to being put on cold-calling lists and be aware that their information is being passed on to marketing companies
j. When individuals are “profiled” by an algorithm based on their personal data, such as an evaluation of their health, wealth or movements, individuals can demand this action is performed by a person, rather than a machine.
The Bill contains a provision that enables data controllers and data processors to lawfully process data for the purpose of legitimate interests. However, this does not apply to public authorities. The term “public authority” is not defined in the GDPR. The Bill has adopted the definition used in the Freedom of Information Act. This definition is extremely wide and it is therefore likely that more bodies will lose the benefit of the legitimate interests condition than may have expected to do so.
Children and Parental Consent
Member States can chose when to allow children to provide consent to their personal data being used (provided that this was not below 13). The Bill sets the age at which parental consent is not needed at 13.
Data controllers will need to have a document in place which explains how they comply with Article 5 of the GDPR and their retention and erasure procedures.
The new maximum penalties are of great concern to most organisations and can be summarised as follows:
Under the current regime, the ICO only has the power to impose fines of up to £500,000 for serious breaches of the Data Protection Legislation. When the Bill comes into force, the ICO will be able to fine businesses up to £20 million or 4% of annual global turnover.
2. New criminal offences
There will also be two new criminal offences, which could be accompanied by unlimited fines:
i) Re-identifying people from anonymous data: data is often kept anonymous to respect people’s privacy, but by piecing many of the pieces together, it might be possible to identify an individual’s browsing habits or credit card transactions. This will become a criminal offence.
ii) Changing data: organisations could also face criminal charges if they tamper with data that has been requested by an individual.
What does this mean for you?
All organisations (who have not done so already) will need to conduct a full review of their privacy, data protection and cyber security policies, identifying any potential gaps and ensuring that appropriate systems are put in place in advance of the legislation coming into effect. Staff will need to receive training in relation to the new policies/systems.
Should a breach occur and there is a risk to the rights and freedoms of client subjects, it will be necessary to report to the authorities within 72 hours of the breach, and to report to the individuals whose data has been breached as soon as possible (where the risk is high). The Information Commissioner will consider whether appropriate systems were in place, whether there is a history of breaches and evidence of general compliance with the new legislation.
Those organisations who are not required to have a Data Protection Officer should consider appointing a particular member of staff to deal with these responsibilities (even if they have other roles too). The role of data protection within organisations can be seen as akin to HR. Given the challenge of ensuring that the necessary systems are in place we anticipate that before long a substantial proportion of organisations will have someone fulfilling this function, reporting directly to the Board.