Set to be one of the last legacies of the EU to enter UK law before Brexit, the General Data Protection Regulation (GDPR) will take effect on 25 May 2018, applying automatically in all Member States of the EU to organisations that collect, process, or store personal data. It will bring organisations under increased regulatory scrutiny, and significantly increase the potential sanctions for non-compliance by those handling personal data.
It is anticipated that post-Brexit, the UK will adopt the GDPR because of the impact on businesses should it fail to do so. So it is vital that organisations start to prepare now, to establish where they are likely to need to make changes.
There will be more stringent requirements in terms of governance of personal data. The obligation on data controllers to register with the Information Commissioner’s Office (ICO) will be replaced by the requirement for both controllers and processors to keep written records of their data processing activities. Reporting of data breaches will become mandatory, and there will also be some changes to cross-border transfer rules.
Public authorities will be required to hire a Data Protection Officer (DPO), as will organisations that process certain sensitive or criminal personal data, or monitor data subjects on a large scale. The DPO should retain independence from senior management; EU level guidance confirms the role should not be filled by the Chief Executive or Chief Financial Officer, or the head of HR, marketing or IT.
The requirements for collecting consents will become stricter and the ICO has now published draft consent guidance for public consultation. Additionally, the GDPR introduces new rights for individuals seeking to access the data an organisation holds about them. Access request provisions have been extended to entitle the “data subject” to more information, and the timescale for compliance has been shortened. Data subjects will have enhanced rights to have data rectified, restricted or transferred. EU-level guidance suggests firms will be required to offer a direct download opportunity for the data subject, and an option to transmit data to another controller. Organisations will also have to take reasonable steps to delete personal data, where requested by the data subject.
Most importantly, non-compliance with the GDPR will result in significantly higher fines: up to €20 million or 4 per cent annual global turnover, whichever is greater.
Although further guidance on GDPR compliance is yet to be published, it is anticipated it will affect most organisations, as it will have significant implications even in respect of personal data held purely on employees. It will be advisable in most cases not to rely on consent to process personal data. Organisations should consider alternative grounds on which to justify processing, for example where it is necessary for performance of the employment contract.
General commercial contracts that cover use of personal data will likely have to be reassessed to reflect the extra burden of compliance under the GDPR, and this may have a cost impact for businesses.
Organisations should carry out a careful audit of all personal data, including employee information, that they hold, and review the legal basis for holding it. Appropriate training should be provided to employees on their data protection responsibilities under the GDPR, particularly as it is often employee mistakes or errors that lead to significant data loss incidents.
Ahead of May 2018, organisations should take advice to ensure GDPR compliance. Businesses should be conducting data protection audits, seeking advice on data policies and compliance, and considering existing contracts relating to use of data.
Alison Bryce is a partner and heads the IP and Technology Team, Maclay Murray & Spens LLP.