The General Data Protection Regulation is here!
For many months (even years!) we have been talking about the new General Data Protection Regulation ("GDPR"), which is to replace the Data Protection Act 1998 ("DPA"). Finally, we can confirm that the GDPR has been ratified and published in the Official Journal of the European Union. It will be in force from 25 May 2018; the count down has begun.
What does the GDPR do that is different?
The simple answer is: lots. The GDPR develops the existing law regarding data protection in the EU and introduces many new legal concepts. It wouldn't be possible to summarise all of them in a Stop Press but we think the key changes are:
- Penalties: The Information Commissioner's Office ("ICO") can currently levy fines of up to £500,000. From 25 May 2018, this will increase to an eye-watering €10m or 2% of worldwide turnover (whichever is higher) for lesser breaches of the GDPR or fines of up to €20m or 4% of worldwide turnover (whichever is higher) for serious breaches of the GDPR. The GDPR also codifies the right for individuals to bring class actions, which are something of a rarity under the current regime.
- Security Breaches: There is currently no legal duty to report a data security breach under the DPA. This will change. The GDPR obliges all organisations to report data security breaches to the ICO where there is a high risk to the rights of the affected individuals. Reports must be filed within 72 hours. Failure to do so will be an aggravating factor if the ICO decides to levy a fine.
- New Rights: The GDPR grants new and significant rights to individuals. They include; the right to be forgotten (i.e. to have an organisation permanently delete all data that it holds about you) and the right to data portability (i.e. to receive a full copy of all data held about you in a commonly used machine readable format).
- Subject Access Requests: The current £10 fee will be abolished, but you can charge a reasonable fee for subsequent requests (i.e. not the first request.) Expect lots more subject access requests! The time period is shortened from 40 days to 1 month, although this can be extended to 3 months in exceptional circumstances.
- Data Protection Officer: Every organisation will need to have one if they undertake regular and systematic monitoring of data subjects on a large scale or if they process sensitive personal data on a large scale.
- Record Keeping: The duty to be registered with the ICO will be abolished. Organisations will need to keep internal records of all data processing that they carry out along with information about how long the data is kept, why it is being processed, if it is transferred overseas (etc). These records need to be available for inspection.
- Consent: The definition of consent becomes even narrower, meaning it is likely to be harder (if not impossible) to get implied consent to things like direct marketing.
Can I just do nothing for 2 years?
Well, no. We think (and the ICO agrees) that all organisations need to take action now to get their respective houses in order. True, the DPA remains good law for 2 years. However, we think it will be tricky to explain away inaction if you are found to be in breach soon after the deadline expires, particularly if you have been on notice of the changes for 2 years.
Nobody does data protection like we do data protection.
We have one of the largest dedicated commercial teams between London and Birmingham. We have a team of specialist data protection lawyers who are able to advise on all data protection issues, however large or small. We'd love to talk to you about data protection, please contact Matthew Holman.