On 15 December 2016 the House of Commons library published a briefing paper “Brexit and data protection”, which discusses the current reform of EU data protection law, the interaction with UK law, and the potential consequences of Brexit in this connection. The UK must apply the General Data Protection Regulation (GDPR), which is now in force, by 25 May 2018.
The changes have arisen due to divergences in enforcement of previous data protection laws by EU member states, and in January 2012 the European Commission therefore proposed a new framework for data protection. In its finalised form, it has two elements:
- GDPR, which is now in force, but there is a two-year transition period for implementation, meaning that the UK is not obliged to apply it until 25 May 2018.
- Directive on data transfers for policing and judicial purposes. This is now also in force and EU member states are required to transpose it into their national law by May 2018.
The Regulation is probably of more interest than the Directive. Note that a directive is implemented and enforced by individual countries but regulations become law without change when they are passed. The current EU data protection directive resembles a mixture of slightly different laws across Europe but the new regulation will be implemented in all 28 countries. It will apply to any company that handles EU citizens’ data, even if that company is not based in Europe.
It includes new provisions on:
- Increased territorial scope - Companies targeting consumers in the EU will be subject to the GDPR. This is not the case at the moment.
- Penalties - There is an increase in the amount of money regulators can fine companies who do not comply – up to 4% of their global turnover or 20 million euros (£15.8 million), whichever is the greater.
- Consent - Data controllers relying on the consent of the subject must be able to demonstrate that it was freely given, specific, informed and unambiguous for each purpose for which the data is being processed. So, for example, pre-ticked boxes will no longer constitute consent. Subjects will need to opt-in rather than opt-out in relation to the use of their data.
- Privacy by design - The Regulation calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Article 23 calls for data controllers to hold and process only the data absolutely necessary for the completion of its duties (“data minimisation”), as well as limiting the access to personal data to those needing to act out the processing.
- Data protection officers - It will be mandatory for large companies to employ a data protection officer.
In addition, businesses will be required to be able to show how they are complying with the legislation. They will need to have the necessary procedures in place and be able to demonstrate the systems they have to achieve compliance.
It also enhances data subjects’ rights with new provisions covering:
- Breach notification - Breaches must be reported within 72 hours
- The right to access - The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing (Recital 63). Firms must provide a copy of the information free of charge. The removal of the £10 subject access fee is a significant change from the existing rules under the DPA. However, firms can charge a 'reasonable fee when a request is manifestly unfounded or excessive, particularly if it is repetitive. They may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that they can charge for all subsequent access requests. The fee must be based on the administrative cost of providing the information. Firms will also have less time to comply with a subject access request under the GDPR. Information must be provided without delay and at the latest within one month of receipt. Firms will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, they must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
- The right to be forgotten - The somewhat controversial right to be forgotten is being extended beyond web searches to all aspects of online transactions e.g. someone could ask social networks to delete their profile entirely.
The Regulation will apply to all UK companies when it becomes legally enforceable on 25 May 2018. It is highly likely that the UK will still be a member of the EU on that date, so companies should already be making plans to review the requirements and assess the implications on their business by the GDPR. It is also highly likely that the UK will mirror the Regulation when it leaves the EU, at least for the short-term. The questions which firms should now be addressing include:
- What are the new obligations under the GDPR and how do they apply to us?
- Are there any gaps in our existing processes and procedures to ensure compliance with the GDPR?
- What are the changes and by when?
- Do I need to get additional consent from our data subjects due to the changes?
- What are the priorities?
- What will be the cost?
OAC can help with ensuring compliance with the GDPR so please get in touch.
For more information
Senior Regulatory Compliance Consultant
< Back to News & insight