Brexit is likely to change many aspects of business, commerce and everyday life in the UK but there is one legislative leviathan even Brexit cannot bring down.
From May 25 next year the General Data Protection Regulation (GDPR) comes into force across the 28 European Union states bringing fundamental change to the way personal data is treated.
The regulation was actually adopted in 2016 and caused a flurry of excitement when it hit the statute books, but a two-year transition period defused the impact of its adoption. It has been described as the most heavily-lobbied piece of legislation ever to make it into European law and, according to commentators, it could have been a lot tougher. With the EU’s transitional period due to lapse the clock is now ticking.
Anyone hoping for a get out of jail free Brexit option will be disappointed. The UK legislation clearing the way for GDPR to go into law and replacing the 1998 Data Protection Act was contained within the Queen’s Speech this year. The plethora of business advice to be found on the internet confirms that the UK Government has said: Brexit or no Brexit the GDPR will be adopted into law.
As a regulation GDPR goes straight into law in all 28 European states without requiring any other legislation although local governments are putting it onto their statute books.
That the UK has started this legislative process is not surprising given that the regulation crosses boundaries in its scope.
GDPR is all about data, its collection, ownership, processing and use. It seeks to protect the data subject and place obligations on the data collector and user. If the data in question is European or the company collecting and using the data is European then GDPR will apply. It does not matter where the bill is paid.
What GDPR seeks to do is beef up the data protection act for individuals. In doing so it has imposed a huge raft of obligations and requirements on those who collect, manipulate and store data. But this legislation is not just for data farms and marketing businesses.
Pure data businesses have been working on systems, policies and procedures since the adoption of GDPR in 2016. While they were the first to sit up and take note, retailers and suppliers are being warned to get ready too and there is a legion of experts offering advice. As ever with law, the devil is in the detail.
The scope of GDPR means retailers must take a closer interest in data protection issues. The new regulations require data processors, those who take and handle the data, to take responsibility along with the data controller. The controller is defined as the person who decides what will happen to the data.
Personal data is defined as the obvious emails, addresses, dates of birth, etc, but may also include less obvious ‘data’ such as images or CCTV footage. More sensitive classifications of data also exist for more sensitive subjects such as race, sexual orientation, religion, political allegiance or biometrics. Healthcare is provided as an exception for collection of necessary data for the patient’s or the public good. The exemptions are laid out in Article 9 but it is not immediately clear if optical records, other than those that including life-threatening or contagious conditions, are included. Totally anonymised data is exempt.
In an effort to protect the individual there are rigorous rules around the collection of data and consent. The data must be collected with full consent and the individual must be informed about how the data is used, how long it will be kept for and the explicit uses for which it is being collected. Interestingly employers cannot assume consent from data held on their own employees. If it is collected during the course of their employment is it deemed not to have been collected without duress.
If explicit consent has not been gathered the data cannot be used for any form of marketing, profiling or monitoring, this applied to data held electronically or on paper. The act of collecting and storing the data is deemed to be processing it. The amount of data collected must also be justified and be backed by policies, training and record keeping.
There are clear principles that data collection should adhere to which cover collection, consent and communicating with customers. Record keeping, policies, training all feature highly along the journey of collection.
One of the more understandable guides to GDPR takes the form of a YouTube seminar by GDPR practitioner, Sean Huggett of IT supplier to the public sector, Softcat.
He said while the systems are important GDPR is not an IT issue. ‘Its not an information security issue it’s about data protection and understanding the data you have and being able to prove that you are protecting the rights of the individual that data refers to,’ he said, adding it is not an IT challenge it is a business challenge. And it hinges on the way organisations manage the relationship of trust they have with their customer.
The amount of data held must be proportionate. It should only be kept for as long as is reasonably necessary and only the data needed for contractual purposes should be collected. Organisations have to tell the subject why the data is being collected, how long the data will be kept for and when it will be deleted.
Another big area of change over the Data Protection Act, in regard to the data subjects’ rights, surround access, manipulation and removal. Extended Subject Access Rights mean the subject can object to processing, has rights to rectification, movement of the data and have ‘the right to be forgotten’.
Big data users have been sparked into action by a raft of new penalties. These are much harsher than previously. Fines up to €20m or 4% of global turnover are possible so it is not surprising many big organisations have been animated by the new rules. Damages suffered as a result of data misuse have also been extended to include emotional harm as well as monetary loss.
Not only are the rights to access greater but the time limit on disclosure is shorter and the holder cannot charge a fee. ‘You should think about how you handle SARs,’ Huggett said in the seminar. He said he expected the number to go up and even suggested could become the subject of fishing for breaches as happens with PPI.
This was yet another area where training was required he said. Staff need to understand when a SAR is made as it could be requested by any method even through social media.
Opticians may not immediately think of themselves as heavy data users but patient details are increasingly used for automated and profiled marketing, recall and communication.
It may well be that the Information Commissioner’s Office takes a softer line with professional use of data but as the regulation looms all businesses would be well advised to look into their data compliance.
Reviewing existing software procedures
‘We’ve always had the Data Protection Act (DPA) and, effectively, GDPR is just a beef-upped version of it, so most of your software houses will already have had to comply with the DPA,’ said Optisoft’s Keith Sheers.
‘In our case, we’ve had to review our system, so when we get data in from a customer, [we check that] it’s signed in, kept for a minimal period and then deleted. We are making sure data is correctly dealt with,’ he added.
In addition to explaining what actions his company had taken to comply with the new European ruling, Sheers urged practices up and down the country to get their houses in order before May.
‘It’s the company’s responsibility to look after data protection. We will be putting in what’s needed for them [practices] to do some of the job. But that doesn’t mean they don’t have to do something – they do. They have to look at their systems and look at proof of permission,’ he said.
Finally, the Optisoft owner highlighted possible contradictions within the incoming law, and urged clarification ahead of the changes.
‘The patient has the right to come in and say, “I want you to remove me as a patient”. But that causes some issues because there’s a recommended period of retention for opticians to keep patient records. Although they have the right to erasure, you also have a legal requirement to keep [patient records] and pass them onto the next practice.’
Keith Sheers, managing director and owner of Optisoft
Implications horrendous for the unwary
‘We are removing all customer data from our sites, so they won’t have any data for their patients stored locally. Every single customer will get the new version automatically, pre-GDPR. There’s nothing for them to do apart from wait for it to happen,’ said Rowley.
When asked if his company was doing enough to make practice owners aware of the incoming changes to data protection, the director said: ‘Our customers realise because we’ve absolutely told them all. It’s the little guys, the one-man bands, who have really simple systems, that do not realise the risk. They need to look at their databases around fundus camera and OCT machines and ask if it’s encrypted. And if it’s not, it ought to be.’
Despite some grey areas with the new ruling, Rowley was confident with the company’s preparations for spring. He said: ‘GDPR does not say you have to encrypt your database, but if you have a break-in or if you dispose of a computer without deleting all the data, the implications are horrendous. That’s what people aren’t appreciating.’
Trevor Rowley, managing director of Optix