As of the 25th May 2018, the Data Protection Act 1998 (DPA) will be replaced by the General Data Protection Regulation (GDPR). This will result in numerous changes to which businesses must comply with, as failure to do so could result in a fine of up to 4% of the annual global turnover (maximum fine of €20 Million). It is therefore vital that all key members and decision makers within the company are fully aware and trained on the changes and impact that will occur as a result of the new regulations.
Some of the significant changes brought about by the GDPR include:
- Consent to use data must now be in an easily accessible form, and must be written in clear and concise language, with a positive opt-in from (rather than inferred from un-ticking of a box). It must be made clear to individual that his or her consent can be easily withdrawn at any time. Businesses should record all forms of consent, and review and amend their current consent documents, so as to ensure that they follow the GDPR guidelines.
- The GDPR grants additional rights to individuals, which were not contained in the DPA. Companies therefore need to implement procedures which would allow them to easily deal with requests of customers to delete all personal data or to provide copies of data electronically and in a commonly used format.
The GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
- The time period for handling access requests has been reduced from 40 days (as under the DPA) to 30 days. If a request is to be refused; full and concise reasoning must be provided within one month to the individual. Failure to comply with this entitles an individual to issue a complaint to the supervisory authority or potentially gain access to judicial review rights. It is paramount for a company that handles a large number of requests, to be able to develop an efficient system in order to be able to provide a response without delay. It may therefore be worth considering the development of an online system to ensure the easy access of personal information for individuals. This would allow for requests to be dealt with much more efficiently.
- A company must appoint their own Data Protection Officer (DPO) if they have more than 250 employees, are a public authority, or if they monitor a large amount of individuals and partake in processing large amounts of data regarding special categories, such as criminal convictions. This individual should be competent in their role and able to take full responsibility for the protection of data. Under the DPA, it was not a strict requirement to appoint an overarching DPO and data protection controllers would often submit the required information to local administrators with a part-time DPO role. Now larger companies are more likely to have to appoint someone to a DPO role solely dedicated to the protection of their customer’s data.
In addition, the Privacy and Electronic Communications Regulations (PECR), which previously sat alongside the DPA will be amended and reviewed so as to be uniform with the GDPR. Although not yet confirmed, it is thought the PECR will adopt a similar definition of ‘consent’ as the GDPR, and will detail specific privacy rights in relation to electronic communications. The PECR deals with electronic marketing communications and is stricter in many respects than the DPA or GDPR in this regard – as there is no possibility of even seeking to use ‘legitimate business purposes’ as a basis for processing without consent under the PECR.
It is vital that a company investigates and handles a personal data breach in accordance with the GDPR. Whilst under the DPA, companies were encouraged to report data breaches; there was no enforcement of such suggestion. Once implemented, the GDPR will require a company to report a data breach to the relevant supervising authority within 72 hours if it is likely to result in a risk for the rights of an individual, such as damage to their reputation, or loss of confidentiality.
Details which must be included in this data breach report inlcude:
- the nature of the breach;
- the contact details of the DPO;
- a brief description of the potential consequences; and
- proposed measures to combat the breach.
The GDPR is a particularly important piece of new legislation, affecting a large number of businesses in the UK. On the whole, the rights individuals will enjoy under the GDPR are very similar to those under the DPA, but with some significant enhancements. If companies are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy.
Should you wish to discuss the GDPR in more detail and discuss how your business could effectively implement changes to adhere to the new regulations, please contact our Corporate Commercial department on 0161 832 3304.