The General Data Protection Regulation (GDPR) is a new EU data protection regime approved by the European Parliament on April 14, 2016, which is due to come into force on May 25, 2018, and replace the existing Data Protection Directive and the Data Protection Act.
The purpose of the GDPR is to provide greater harmonisation by introducing a single legal framework that applies across all EU member states. Some of the key provisions of GDPR are:
- Increased enforcement powers. The GDPR will significantly increase maximum fines. Under the GDPR the maximum fine will be 4% of annual worldwide turnover or €20 million, whichever is the greater. Currently the maximum fine in the UK is £500,000. An SME would need to be processing large volumes of personal data with a cavalier disregard for the regulation and other aggravating circumstances to attract the maximum fine so penalties will be applied in a proportionate manner. It remains to be seen whether the real level of fines will significantly increase, but the risk profile is dramatically increased.
- Consent to processing data will be harder to obtain. The GDPR requires clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the individual’s agreement to the personal data being processed, such as by written statement. Businesses must be able to demonstrate that the individual has given consent. The individual has the right to withdraw their consent at any time. Failing to un-tick a pre-ticked box would not constitute valid consent under the GDPR. It may be dangerous to rely on an individual’s implied consent. Business owners cannot rely on consent as a legal basis for processing if there is a ‘clear imbalance’ between the parties, for example between employer and employee, as consent is presumed not to be freely given.
- A risk-based approach to compliance. Businesses bear the responsibility for assessing the degree of risk that their processing activities pose to their patients and customers. There is a new accountability principle and requirement for business owners to maintain documentation, privacy by design and default, privacy impact assessments (PIAs), data security requirements and the need to appoint a data protection officer in public authorities and organisations that control large datasets.
- Privacy by design and default. For example, when creating new products, services or other data processing activities, businesses must design for data protection and at the time of determination of means for processing or processing itself have default provisions that protect data security, for example limiting the collection of personal information.
- Privacy impact assessments (PIAs). For example, where decisions that create a legal right or significantly affect the individual who is the subject of personal data, are based on automated processing, eg profiling.
- Pseudonymisation. A new concept whereby personal data can no longer be attributed to a specific individual. Pseudonymous data, information that no longer allows the identification of an individual, will still be treated as personal data but possibly subject to fewer restrictions on processing.
- Strict data breach notification rules. Businesses must notify the National Data Protection Authority (NDPA) of all data breaches without undue delay and within 72 hours where feasible.
- The ‘right to be forgotten’. Individuals will have the right to request that businesses delete their personal data where, for example, it is no longer necessary for the purpose for which it was collected or the individual has withdrawn their consent.
- Data subject access requests. Businesses must reply to a subject access request, a written request made by an individual for the information which he or she is entitled to ask for, within one month rather than 40 days as currently, although that is extendable by a further two months. A business cannot charge for meeting a subject access request unless the request is ‘manifestly excessive’, in which case a reasonable fee can be charged. The £10 fee will be abolished.
The effect of Brexit on the GDPR
The GDPR is due to take effect in the UK on May 25, 2018, and since the government triggered Article 50 in March 2017, it will have come into force before we leave the EU in 2019.
While Brexit could result in an automatic disapplication of the GDPR the indications are that it will be subsumed wholesale into our domestic legislation following the Great Appeal Act. It therefore seems safe to assume GDPR is coming and Brexit will not affect that.
Be prepared
Use the time between now and May 2018 to ensure your organisation will be compliant.
- Review policies and procedures, particularly around obtaining consent.
- Carry out an audit of what data your business holds, for what purpose, where it is held and with whom it is shared.
- Ensure good data security.
It is important to add that there are a few areas of the regulation where SMEs are recognised as having fewer resources and it appears to be allowing SMEs some leeway in the degree of documentation and record keeping that they are required to maintain in relation to information processes provided that they do not present a significant risk to data subjects.
But be warned the regulation expects all SMEs to take a more proactive approach to data protection and privacy and contains many articles which apply equally not matter what size of organization you are. My advice is that the sooner you start to get your GDPR strategy in place the better.
