Background
The long awaited European General Data Protection Regulation (“GDPR”) has finally been published in the Official Journal of the European Union and will become law on 25th May 2018.
The GDPR will replace the European Data Protection Directive, which was implemented in the UK via the Data Protection Act 1998 (“DPA”). Unlike the Directive, which has been implemented differently in each Member State, the GDPR will be directly applicable in each Member State. As a result, the GPDR will both transform and harmonise data protection legislation across the EU.
This article provides some examples of the key changes which will likely be of interest to the public sector.
Key elements of the GDPR
- Consequences of non-compliance
At present, the ICO can impose a maximum administrative fine of £500,000 for a serious breach of the DPA. Under the GDPR, the potential maximum fines will increase exponentially to €20 million or 4% of an organisation’s total worldwide annual turnover in the previous year. In each case, the penalty will be tailored to reflect the severity of the breach.
Under the GDPR, the ICO will also have wider-ranging enforcement powers. For example, the ICO will be able to impose a temporary ban on an organisation’s data processing activities and order the rectification or erasure of personal data.
Organisations can take steps to prepare for the introduction of these provisions by identifying and addressing any gaps in their data protection compliance. Organisations should also familiarise themselves with the new obligations imposed by the GDPR and develop a plan for achieving practical compliance prior to 25th May 2018.
- Fair processing
Under the Directive, all personal data must be processed “lawfully and fairly”. The GDPR builds on this principle by adding that all personal data must be processed “in a transparent manner”. In practice, the principle of transparency will require data controllers to provide a significant number of new categories of information to data subjects. For example, data controllers will need to explain to data subjects the legal basis for processing their personal data and the existence of various data subject rights.
The additional information requirements under the GDPR may appear onerous. However, as the GDPR will harmonise the information requirements, this means that a single privacy notice is more likely to be sufficient across the EU. Organisations should start reviewing and updating their existing privacy policies to ensure they convey the categories of information mandated by the GDPR.
- Consent
The GDPR provides some important clarifications on the meaning of consent. In addition to a requirement that consent must be “freely given, specific and informed”, the GDPR adds that it must be “unambiguous” and signified by a “clear affirmative action”. Where sensitive personal data is processed, consent must be “explicit”. Under the GDPR, data subjects will also have the right to withdraw consent at any time and must be informed of this right prior to giving consent.
In practice, the requirement for a “clear affirmative action” means that consent will be more difficult to obtain. Organisations should review and adapt their existing consenting mechanisms to reflect the fact that the use of silence, pre-ticked boxes and “blanket” consents may no longer be used to obtain consent.
- Notification of Data Breaches
Under the Directive, there is no mandatory obligation on data controllers to report data breaches to their national data protection authority or to inform data subjects affected by the breach. However, the Information Commissioner (“ICO”) has taken the view that “serious” data breaches should be brought to its attention.
In contrast, the GDPR will oblige data controllers to notify the ICO within 72 hours of any breach which may result in “a risk to the rights and freedoms” of individuals. This would appear to set a lower bar for notification, though it remains to be seen how such a “risk” will be interpreted in practice. In addition, data controllers must (with some exceptions) notify data breaches to data subjects without undue delay where the breach is likely to result in a “high risk” to their rights and freedoms.
The ICO recommends that organisations assess the categories of personal data that they process and consider which of them would likely require to be notified to the ICO in the event of a security breach. Organisations should also develop data breach management policies to ensure that they have the necessary processes in place to ensure compliance with the new regime.
Comment
When the GDPR comes into force on 25th May 2018, it will transform the existing data protection regime. This article has discussed only a few of the key changes and is by no means a comprehensive guide. It is essential that organisations use the two year transitional period to familiarise themselves with their new obligations under the GDPR and implement any changes which may be required in order to ensure compliance with the new regime.
Co-authored by Joy Black.
