General Data Protection Regulations
The General Data Protection Regulations (“GDPR”) is a new piece of legislation which will replace the existing UK Data Protection Act 1998 (“DPA”) and will come into force as from 25 May 2018.
It is an EU Regulation (“Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016”). The British government has confirmed that the UK’s decision to leave the EU following Brexit will not affect the commencement of the GDPR.
GDPR takes a similar approach to existing data protection legislation but there are some important changes described below.
The operation of GDPR in the UK is the responsibility of the Information Commissioner’s Office (“ICO”) which is a non-departmental public body reporting directly to Parliament and sponsored by the Department of Culture, Media and Sport. The ICO is the UK’s independent regulatory body dealing with information rights and data protection and is based in Wilmslow, Cheshire with a Scottish branch office in Edinburgh.
GDPR is very important for both internal auditors, external auditors and members in business who all need to be aware of GDPR in these ways:
- Do their organisations have a plan to prepare for GDPR?
- Is there evidence that the plan has been given sufficient resources and key management commitment?
- Does management at all levels, including Board level, appreciate fully the impact that GDPR will have on their organisation? Businesses face potential huge fines (of up to 4% of their annual global turnover, or 20 million euros, whichever is the higher), if they fail to comply with the new rules.
- Have management identified areas that could cause compliance problems under GDPR?
Which organisations does GDPR apply to?
GDPR applies to ALL organisations collecting and processing personal data of individuals residing in the EU regardless of the organisation’s physical location. All businesses, even those located outside of the EU, MUST comply with GDPR where they offer goods or services to individuals within the EU or monitor the activity of people within the EU (internet profiling). There are clearly implications here for UK-based groups with foreign subsidiaries based outside the EU.
GDPR will cover companies, sole traders, partnerships, public sector bodies, charities and membership organisations. It is difficult to imagine which organisations would not fall under these regulations.
What does GDPR cover?
GDPR, like the DPA, applies to “personal data” but beware - the GDPR’s definition is much broader. The ICO website says that “… GDPR’s definition is more detailed and makes it clear that information such as an online identifier - e.g. an IP [Internet Protocol] address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.”
GDPR applies to both data held on automated systems (e.g. a computerised database or spreadsheet) and to manual filing systems (such as a card index) where personal data are accessible through specific criteria.
Preparing for GDPR
The ICO website has very useful information on GDPR- especially the section entitled “Preparing for the General Data Protection Regulation (GDPR) -12 steps to take now”.
The GDPR will apply to both “controllers” and “processors” that are handling the data of European citizens. “Controllers” are those who determine how and why personal data is processed whilst “processors” are those who carry out the processing on the controller’s behalf. The controller is responsible for ensuring the processor abides by data protection legislation.
It is essential that organisations now document systematically what personal data they hold, where it came from and with whom it is shared.
What changes does GDPR bring to data protection legislation?
In many cases, what was previously good practice in data protection has now been made a legal requirement.
- Potentially “eye watering” fines: A fine of up to €20 million or 4% or total worldwide turnover, whichever is higher, may be imposed for the most serious offences such as breach of basic data processing protection principles.
- Privacy by design: It makes privacy by design (basically, security built into processes from the start) which was traditionally good practice, now an express legal requirement under the term “data protection by design and by default”.
- Mandatory breach notification: Organisations will now be required to notify the ICO within 72 hours of discovering a security breach that poses a risk to the rights of individuals.
- Data processors: Under existing legislation, data processors are not under any direct legal obligations and the data controller is responsible for any breach committed by the processor. A major change to be brought in by GDPR now places obligations on data processors, including the requirement to introduce appropriate security standards, ensure adequate record keeping and to inform the data controller of any breach. Data processors will now be liable to regulatory fines or private claims from individuals in the event of a breach.
- Accountability requirement: GDPR makes a new obligation on controllers and processors to demonstrate how they are complying with the legislation. This will require, if are not already in use, the creation and maintenance of robust data processing registers.
- Right to be forgotten: EU citizens will be able to request the data controller to not only delete their personal data but to stop sharing it with third parties, who are then obligated to stop processing it.
- Right to access: Companies must be able to provide electronic copies of private records to individuals.
- Consent: Organisations will be required to obtain an individual’s consent to store and use their data and to explain how it is used.
- Children’s personal data: GDPR now brings in the requirement of special protection for children’s personal data, especially in the context of commercial internet services.
- Data Protection Officers (“DPO”): Certain organisations, mainly those whose processing of data involves regular and systematic monitoring on a large scale or in the public sector, will be required to have a formally designated DPO.
Even for those organisations who are not required to have a DPO, it is vital that there is a person within that body, or an external data protection advisor, who takes proper responsibility for its data protection compliance and crucially, has the knowledge, support and authority to carry out their role effectively.
Lastly, the words of Rob Luke (Deputy Information Commissioner) in a speech at the TechUK event in London on 25 May 2017 on “Will GDPR Change the World?”
“What we can safely say however, is that one way or another, GDPR is going to be an important part of the global data protection landscape over the years ahead, with great relevance to UK organisations, the public and their data.”
“The moment at which GDPR takes effect in the UK on 25 May 2018 will of course mark a change. In delivering legislation fit for the digital age GDPR confers new rights and responsibilities and organisations need to be working now to prepare for them.”