EU data law will affect businesses
We may only just be into a new year, but businesses need to be aware of a huge piece of EU legislation that comes into force in May 2018 - replacing the UK’s 1998 Data Protection Act.
The General Data Protection Regulation (GDPR) has been a long time coming with various drafts having been published over recent years, and marks a tough new era in EU-wide data protection including greater responsibilities for data processors and severe penalties of up to four per cent of worldwide turnover for non-compliance.
It imposes much stricter operating boundaries for businesses that process personally identifiable information about EU citizens, not just to businesses based within the EU.
It means any UK business trading with EU citizens, even post-Brexit - regardless of whether or not Britain exits the EU before May - will be affected, as will anyone who transfers personal data from the EU to the UK for processing or storage.
The main provisions of the GDPR include: Consent– currently, much data is collected on the basis that individuals will choose if they wish to opt out. In future, an individual will have to make a positive action that demonstrates their consent in order for their data to be collected.
Transparency – more information will have to be provided by the processor from the outset about how data will be used and how long it will be kept for, as organisations must not hold on to data for any longer than absolutely necessary.
Accountability – there is a shift from risk management to compliance so in future, organisations will have to be able to show that they are actively complying with the GDPR, not just identifying risks or responding to breaches as they occur.
Specialists – A specialist Data Protection Officer will bean obligatory appointment for most public bodies andfor any organisation controlling or processing data where core activities involve “regular and systematic monitoring” of data subjects “on a large scale”. For an organisation that sub contracts its processing there is a high duty of care imposed in selecting their data processing provider, with procurement processes to be followed and regular ongoing reviews.
Breaches – currently some may be managed internally without reporting, but in future there will be a statutory obligation to notify the regulator – the ICO in the UK - and the individuals affected if there is any risk to an individual’s personally identifiable information as a result of any breach. Fines will be imposed for breaches, up to a maximum of €20m or 4% of total worldwide turnover for serious contraventions.
Children – No one under 13 can give their consent to the processing of personal data in relation to online services, and so parental consent must be obtained. Member States are free to set their own rules for those aged 13-15, if they do not, then parental consent will be required for children under 16.