General Data Protection Regulation (GDPR)
by Nick Humphreys & Justin Cheuk
The rise of the internet has revolutionised the way personal data is processed, so much so that current data protection legislation in the form of the Data Protection Act 1998 has become outmatched by the pace of technological change. The EU has responded with the General Data Protection Regulation (GDPR), a more up-to-date and harmonised data protection regime: in particular, the GDPR requires businesses to actively engage with GDPR and its new requirements for data processing. In the UK, the Data Protection Act 2018 (which transposes the GDPR) will come into effect on 25 May 2018 and will likely remain in force in any Brexit scenarios; therefore, it is of utmost importance for businesses to comply with the new law or face serious financial penalties thereunder.
While the GDPR overhauls the existing data protection regime, key concepts such as data subject and data controller will remain broadly similar. The overarching principle in data processing will also continue to apply: in order to process personal data, the data controller must have a lawful reason, or to process the data in such a way that falls outside the scope of the GDPR e.g. to anonymise data so that it is not traceable to a specific individual.
Nevertheless, the GDPR alters the compliance structure by adopting a risk-based approach. It is now the responsibility of businesses to assess the risk associated with data processing and to justify, with reference to the law, decisions to process such data. The data controller or processor must assume an active role, to implement mandatory data protection by design and default, and to continuously assess the impact of such protections.
The most significant change brought by the GDPR concerns consent for processing. The concept of ordinary, and potentially implied, consent for non-sensitive data will be abolished and the GDPR requires a higher standard of consent in general:
• Consent must now be obtained explicitly (usually in writing) for each individual purpose of data processing.
• The data controller has the burden to demonstrate it obtained the consent validly. Consent to processing cannot be the necessary condition for benefits such as the execution of a contract. In addition, where there is a clear imbalance between the parties e.g. employer-employee, the consent is presumed not to be freely given.
• Data subjects have the right to withdraw their consent at any time; it must be as easy to withdraw consent as to give it.
Other changes brought by the GDPR include:
• EU-wide harmonisation: the GDPR forms a single legal framework. Business can deal with a single supervisory authority across the EU if so desired (in the UK, the Information Commissioner’s Office).
• Expanded territorial scope: non-EU entities that offer goods and services to data subjects in the EU will also be subject to GDPR.
• Stricter data breach notification: if there is a data breach, the GDPR requires data controllers to notify their supervisory authority without undue delay, and where feasible within 72 hours.
• Enhanced data subject rights: including the right to erase and rectify data; right to object to data profiling; right to obtain a copy of data stored; and the facilitation of data subject access requests.
If businesses fall foul of the GDPR, any supervisory authority (in the UK, the ICO) can impose large fines which can be up to 4% of annual worldwide turnover or 20 million euros (whichever is the greater) for the most serious of breaches. In light of this penalty, businesses should consider doing the following:
• Review the personal data held: what, where and what for?
• Consent: are they validly obtained and recorded?
• Create GDPR-compliant data breach policy with reporting deadlines.
• Consider the necessity of a data protection officer.
Thomas Cooper is well-placed to offer advice to the GDPR. For further information, please contact Nick Humphreys, whose details appear below.