General Data Protection Regulation: What it will change & what you need to do to get ready:

General Data Protection Regulation: What it will change & what you need to do to get ready

Most observers agree that, up until this year, the EU data protection regime was not fit for purpose. The Data Protection Directive ("Directive") was enacted in 1995, and struggled to cope with the new ways in which our personal data is handled following the digital revolution.

The EU response, several years in the making, is the General Data Protection Regulation ("Regulation"). Applicable from 25 May 2018, organisations have been afforded over two years from its publication in the Official Journal (on 4 May 2016), to ensure compliance with its requirements. The Regulation aims to update existing data protection law to cope with such things as cloud computing and to ensure consistency across the EU – the Directive required individual implementation by each Member State, which resulted in differing models (whereas the new Regulation will apply uniformly across the EU).

The Regulation continues to reflect the same fundamental principles, such as fairness, proportionality and the processing grounds, but also introduces additional obligations on both data controllers and data processors.

Despite the UK’s recent Brexit vote, the EU data protection regime is likely to continue to have a significant impact on UK law for the foreseeable future. The suggested timeline for invoking Article 50 means that the Regulation will apply in the UK well before the earliest realistic date for the UK’s departure from the EU.

In fact, the UK’s Secretary of State recently confirmed that the UK will implement the Regulation in May 2018. Over the longer term, whatever form Brexit might take, the UK’s Information Commissioner’s Office (“ICO”) has emphasised the continuing importance of modernising UK data protection law. It is therefore highly likely that standards which are broadly equivalent to the Regulation will be adopted as law in the UK post-Brexit.

What are the key changes?

• A broader definition of personal data, which includes cookie IDs and IP addresses.

• More personal data treated as "sensitive", including genetic and biometric data. These kinds of data will need additional layers of protection.

• An obligation to demonstrate ongoing compliance, including maintaining detailed records of processing operations and conducting data protection impact assessments for high risk projects and new products/services.

• Mandatory data breach disclosure obligations, meaning all organisations will need to report any data breaches to the data protection authority “without undue delay” and in any case within 72 hours of the breach occurring. Currently, only providers of public electronic communications services must report breaches.

• More rigorous consent requirements, meaning tighter restrictions on how organisations can obtain consent for collecting and processing personal data. Consent will need to be specific, informed, explicit and freely given.

• A “one-stop shop” established by the Regulation, which aims to reduce the administrative burden on organisations since they will only need to liaise with one lead authority in the territory of their main establishment. This is obviously one of the features that may well be impacted by Brexit in terms of the UK’s participation in the “one-stop shop”.

• An obligation to appoint a data protection officer where the business’s core activities require systematic and regular use (or monitoring) of personal data on a large scale.

• Privacy by design and privacy by default requirements, where organisations will need to take privacy risks into account throughout the process of designing new technology, products and services and where businesses must ensure, by default, only the necessary amount of personal data is collected, used and shared for each task.

• Higher fines – the Regulation will provide higher financial sanctions for both data controllers and data processors (up to €20 million or 4% of global annual turnover for serious breaches). This will inevitably motivate businesses to improve their privacy procedures and to implement a privacy by design and default culture. Following Brexit, the UK would have an opportunity to implement its own sanctions regime, but UK businesses operating in the EU will still be subject to the level of fines levied in respect of breaches affecting EU citizens (see below).

• Additional rights for individuals, including the right to be forgotten, the right of data portability and the right to be told if their data has been hacked.

• Potential global effect – the Regulation will also apply to organisations located outside of the EU where they monitor personal data concerning EU citizens and/or offer them goods or services.

What do I need to do about it?

Tech businesses should be preparing for the Regulation now. In particular, you should consider:

• reviewing the personal data you collect and process, your IT security and data protection strategy, including policies, consents and notices;

• conducting privacy impact assessments for high risk projects and new products and services;

• for businesses based outside of the EU, considering whether any of the entities will be subject to the regulation and review compliance strategies in light of the new obligations;

• devising a data breach response plan (including training, appointing appropriate roles within the business and preparing template documents);

• establishing and maintaining clear records of all data processing activities, which should be kept readily available for disclosure to the relevant supervisory authority upon request;

• reviewing the ways individuals can manage their privacy preferences, such as providing online account preference centres allowing individuals to review the data held about them, update or delete it and alter their consent preferences;

• establishing, and reviewing existing, data processing agreements to ensure they comply with the Regulation;

• appointing a data protection officer with clear responsibilities;

• considering how the organisation will give effect to the new rights of individuals.

With less than 2 years until the Regulation will apply, tech businesses should use the time between now and May 2018 to evaluate and update their compliance strategies in line with the Regulation.

The ICO has published a handy guide on the 12 steps that businesses can take now to prepare for the Regulation. Click here: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf to access the guide.

Article written by Iysha Stanley, Penningtons Manches LLP
[email protected]