Sean Stuttaford, the firm’s Chief Operating Officer and designated Data Protection Officer, discusses the forthcoming GDPR…
2016 has been a year of dramatic politics. The British public decided by popular vote to give up its membership of the European Union; David Cameron resigned as Prime Minister and Donald Trump was the surprise victor in the race to the White House.
Following the “Brexit” vote many will probably consider the days of having to worry about EU rules as a thing of the past. For many businesses it may now seem that the looming March 2018 date to comply with the EU General Data Protection Regulation (GDPR) is not particularly relevant.
However, at a recent conference on the topic, hosted at the Law Society’s office in London, speakers from the Information Commissioner’s Office (ICO) was clear that it was still intending to push ahead and bring the UK’s Data Protection Act in line with the GDPR.
The reasons seem clear. As Prime Minister Theresa May recently announced the process of leaving the EU, or triggering Article 50, to give the process its formal title, will commence in March 2017 and will most likely take two years of negotiation with our current European partners. The timings overlap with the need to comply with the GDPR. It is also likely that many current EU laws, including the GDPR, will be converted into UK national law when the UK formally leaves the EU. Finally, the UK’s new Information Commissioner, in September 2016, made the emphatic statement “I don’t think Brexit should mean Brexit when it comes to standards of data protection”.
So, whilst the exact impact on UK law is not completely clear at the time of writing this column, the regulations are still just a framework that require interpretation, we should take it as a given that one way or another we will all still be required to comply.
To fully explore the implications of the changes required is not possible in this short article. It is more intended to provide our clients with a reason to pause for thought.
UK businesses are now facing a challenge to align their processes with the new regulations and to manage the inherent risks of non-compliance such as reputational damage and fines of up to €20 million (or 4% of turnover).
Essentially the changes are focused on how consent for storing and sharing data is given and more importantly withdrawn, what data is protected, and how it is protected.
Particularly pertinent is the expanded territorial reach of the new regulations. The GDPR is designed to include data controllers and data processors inside and outside the EU whose activities include offering goods or services to EU citizens, even if those services are offered for free. It could be considered that if a company website has an .EU, or neutral, .com domain this will be interpreted as offering goods or services to EU citizens, regardless of whether that was the intention of the business.
IT systems will need to have accountability and privacy by design. This means if your business or organisation is building new IT systems that will store personal data or beginning an initiative that will require sharing data, core privacy considerations and methodologies must be included by default.
At a very basic level, “consent” is an area of change that will almost certainly impact on every UK business that has a website. Firstly, consent must be explicit and you will need to be sure that the data you are processing is required for the activity or service for which you are contracting with the data subject. To raise a question, have you, for example, ever clicked the “Agree” button at the bottom of a lengthy Ts and Cs document that gives access to your data so that you can gain access to some software, a website or even activate a smart phone?
It will also be a requirement that any consent given by a data subject could be just as easily withdrawn. If someone clicks agree on your website for a service, you may need to provide a method of them withdrawing that consent in the same way.
If your business stores or processes the data of children (the age range for a child is defined by the individual EU states and some have lowered it from 16 to 13 years of age), you will require explicit parental consent. This could impact on websites, social media, e-commerce and use of registration for technology.
Thought will need to be given as to whether or not you will be required to have a Data Protection Officer which will depend on the amount and type of data being processed. Data processors will have obligations for the first time under UK or EU law. Notification of breaches will need to be made within 72 hours of awareness. Individuals’ rights have been bolstered and the recognition of Binding Corporate Rules (BCRs) for intra group transfers of data has been included.
In summary, the GDPR is likely to have wide-ranging impact on a number of areas of your business including contracts with your staff, contracts with your suppliers, with people to whom you supply goods or services, as well as your IT systems and direct marketing activity. So, what should you do? You should consider what your obligations are going to be under the GDPR, document the information you hold, check your internal procedures cover the rights of individuals, consider how you will obtain and record consent and familiarise yourself with the ICO’s Privacy Impact Assessments. The ICO has a basic guide to the GDPR on their website here.
Final thought…while there isn’t certainty for how these regulations will be put into UK law, there isn’t time to wait to begin your planning process. Do something now!