As everyone is no doubt aware, on 23 June 2016 the British public voted to leave the European Union and the Government is expected to trigger Article 50 (which will start the formal exit procedure) before the end of March 2017.
Another significant event took place within the EU only a few weeks before the referendum which, despite the UK leaving the EU, will still impact on the UK and its businesses. The text of the General Data Protection Regulation (“GDPR”) was officially adopted in May 2016 and will be effective from 25th May 2018. Even though it is anticipated that the UK will be in formal negotiations to leave the EU by that date, the GDPR will become law in the UK and even it were not to become law in the UK, any businesses supplying goods or services to the EU will still be required to comply with the GDPR.
The GDPR applies in relation to personal data, which is defined as “any information relating to an identified or identifiable natural living person”. It requires data controllers, and also data processors, to comply with a number of principles when processing personal data. These principles, and the GDPR in general, are significantly more onerous (with greater penalties for non-compliance) than is currently the position under the Data Protection Act 1998. With under a year and half to go until the GDPR takes effect, businesses are advised to start thinking about and implementing new procedures within their organisation to ensure such procedures are workable and effective ahead of the commencement date.
Article 23 of the GDPR requires businesses to have in place appropriate technical and organisational measures to ensure that the protection of data when processing personal data is automatically built into the process. This is known as “privacy by design”. Only personal data which is necessary for the specific processing purpose should be obtained. This is known as “privacy by default”. Data should only be retained for so long as it is needed for the specific purpose for which it was obtained. The individual must consent to their data being obtained and processed and such consent must be freely given, specific and unambiguous.
If a business is carrying out high risk processing activities it should carry out regular impact assessments of those activities. How regularly these assessments should be carried out will depend on the size of the organisation and the level of risk, but annually seems to be a reasonable minimum amount.
Data subjects (those to whom the relevant personal data relates) will have enhanced rights under the GDPR, including the right to be forgotten, the right to rectification and the right to restriction of processing. These rights allow the individual to have their data deleted where it is no longer needed for the purpose for which it was obtained, have their data corrected in respect of incomplete or inaccurate data, and to object to the processing of their data where the processing is unlawful. Businesses will need to ensure that they are readily able to comply with any legitimate requests from data subjects pertaining to their data.
Given that the penalties for non-compliance are significant (the greater of €20m or 4% of an organisation’s annual worldwide turnover) organisations should start reviewing their current procedures and deciding how these will need to be adapted to ensure compliance with the GDPR. In addition to actually being compliant with the new Regulation, organisations will also need to be able to demonstrate how they are compliant so this must also be considered. A good place for an organisation to start would be the appointment of a Data Protection Officer, which for organisations whose core activities involve systematic monitoring, large scale processing of sensitive personal data, or those which are public authorities, is mandatory under the GDPR.
If you would like further information or assistance in relation to the General Data Protection Regulation please get in touch with me.