The new Data Protection Law
31st May 2017
Companies and business organisations of all shapes and sizes need to be ready for the implementation of the General Data Protection Regulation (the GDPR) on 25th May 2018, which will replace the Data Protection Act (DPA) of 1998. The new Regulation will come into effect despite Brexit as the UK government have already clearly stated it will be unaffected by the so-called Great Repeal Act that may affect other areas of law that have come from the EU. The principles remain largely the same though the eight DPA principles of data processing have been reduced to six but the sanctions for failure to comply in terms of fines and punishment are far greater than under the DPA and the compliance obligations are much more onerous.
Background to the DPA
The DPA arose from the Data Protection Directive of 1995 at a time when only the larger corporations were able to store, process and collect large amounts of data. Since then a digital revolution has taken place and advances in information technology have been immense and the smallest of organisations now collect large amounts of data. Personal data is used in all areas of business practices from marketing to customer relations. Cyber crime has increased year on year and theft is more likely to happen now when a person is at home or at work rather than walking down the street. Major breaches of data by large corporations such as Carphone Warehouse have hit the news headlines and data has been lost forever by some business organisations. Companies in 2016 in the UK lost over a billion pounds to cyber crime and a 2015 report from the Federation for Small Businesses is alarming and makes the point that smaller companies with less effective defences are seen as easy targets. The number of cyber attacks annually on smaller organisations come to 7 million per year or 19,000 per day.
The key changes that are coming in.
1. A much tighter agreement showing the consent of the individual required to process and store data will come into effect. All organisations will need to be able to show clear and unambiguous consent was obtained and pre ticked boxes or silence will no longer be enough. Explicit consent is what will count and to process data this needs to be seen.
2. Individuals will be able to withdraw consent to store and process data easily and at any time and organisations will need procedures in place to deal with this or face draconian financial sanctions. A right to be erased permanently and be forgotten for subjects of data processing will come into force and procedures to show compliance with this will need to be in place by all organisations that process such data.
3. In the event of a data breach or theft of data, it will be compulsory to inform the authorities namely the Information Commissioners Office of this within 72 hours.
What can be done to get ready for these changes?
1. All organisations should carry out what is known as a privacy impact assessment (PIA) to assess why you are processing data; is there any justification to do so; is it being done in an intrusive manner and does it impact on rights to privacy?
2. In the light of the findings from the PIA, you need to consider whether you still need to process and collect data on a data subject and how to minimise the risks of breaches and how to deal with breaches should they arise.
3. Appoint a data controller to oversee the process and ensure compliance and keep the necessary internal records.
The penalties are immense and fines can come up to 20,000,000 Euros (£17,000,549.12) or four times global turnover whichever is the greater.
This is a vast increase on the maximum penalty that could be levied under the DPA which was fixed at £ 500,000.
Note: This is not legal advice; it is intended to provide information of general interest about current legal issues