The new GDPR came into force May 2016, and will apply from May 2018. It will change the landscape dramatically in terms of notification, responsibilities and penalties.
The objective of the new GDPR is to give EU citizens control over of their personal data, and to simplify the regulatory environment for business. But what will it all mean for the UK post-Brexit?
EU Member States have to transpose the GDPR into their national law by 6th May 2018.
The UK government has indicated it will implement equivalent or alternative legal mechanisms post-Brexit. These are likely to follow the GDPR, given the support they have provided to the reform, alongside the ICO (Information Commissioner's Office).
If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, whether or not the UK retains the GDPR post-Brexit.
What are the key changes?
Jurisdiction
One of the big changes the GDPR makes is to extend jurisdiction. It will apply to all companies processing the personal data of data subjects residing in the Union, regardless of that company's location.
Fines
Under the new GDPR organisations in breach of the regulations can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
There will be a tiered approach, for example, a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment.
These rules apply to both data controllers and processors - meaning 'clouds' will not be exempt from GDPR enforcement.
Consent
The conditions for consent have been strengthened.
A request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
The request must be clear and distinguishable from other matters and use clear and plain language.
It must be as easy to withdraw consent as it is to give it.
The ICO advises that there must be some form of clear affirmative action (a positive opt-in). Consent cannot be inferred from silence, pre-ticked boxes or inactivity.
Data subject rights
Data subject rights have also been updated and strengthened. These changes cover:
- Breach notifications
- The right to access
- The right to be forgotten
- Data portability
- Privacy by design
- Data Protection Officers
Let's look at some of those in more detail:
Right to access
Data subjects have the right to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Controllers will have to provide a copy of the personal data, free of charge, in an electronic format.
This is a big shift to data transparency and empowerment of data subjects.
Privacy by design
The new GDPR takes the concept of 'Privacy by Design' and makes it part of a legal requirement. This calls for the inclusion of data protection from the onset of system design, not as an addition.
Article 23 calls for controllers to hold and process only the data absolutely necessary to it (data minimisation), as well as limiting access to personal data to those processing it.
Data Protection officers
Under the new GDPR it will not be necessary to submit notifications or registrations to each local DPA, or to notify or obtain approval for transfers based on the Model Contract Clauses (MCCs). Instead, there will be internal record keeping requirements.
A Data Protection Officer (DPO) is only mandatory for data controllers and processors whose core activities consist of processing operations that require regular and systematic monitoring of:
- data subjects on a large scale; or
- special categories of data; or
- data relating to criminal convictions and offences.
So what next?
What personal data do you hold? Where did it come from and who do you share it with? Do your procedures cover all the rights individuals have? (For example, deleting personal data or providing electronic data) How do you seek, record and manage consent?
Our Data Protection course has just been updated to help you discover what you need to know about the GDPR and think about the changes your organisation might need to be making before May 2018.
You need to sign in or register before you can add a contribution.