Reform of Data Protection Legislation
In 2018, the EU General Data Protection Regulation (GDPR) will come into force, replacing the Data Protection Act 1998 in UK law. The legislation will apply to all entities offering goods or services and those monitoring the behaviours of EU citizens.
6 Principles of the GDPR
The principles of protection are contained within Article 5 of the GDPR, which states that personal data must be:
- Processed fairly, lawfully and in a transparent manner in relation to the data subject.
- Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed.
- Accurate and, where necessary, kept up to date.
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
New Rights and Obligations
Data controllers must have a legitimate reason for processing an individual’s personal data. The GDPR requires evidence of the consent given by an individual whether this be a tick box exercise or oral consent to a given statement. Silence will no longer constitute consent.
In accordance with Article 8, where the data of a child under the age of 16 is being processed, consent must have been obtained from the holder of the parental responsibility for that child.
An important point to note is that individuals now have a ‘right to be forgotten’ which means that anyone will be able to request their personal data is erased once the data is no longer necessary for the purpose for which it was being processed or where an individual has withdrawn their consent.
Breaches and Fines
Under the new legislation, as soon as a data controller becomes aware of a personal data breach, they must inform the ICO without undue delay and no later than 72 hours after the breach occurred. An exception to this rule is where it can be shown that the breach will not result in a risk to the rights and freedoms of individuals.
Breaches of the new GDPR could result in fines of up to 4% of the global annual turnover for the preceding year (or €20million). Failing to keep records or complying with security obligations could attract a fine of up to €10 million or 2% of global annual turnover.
Ways to Ensure Your Business is Compliant
- Implement a system of escalation to ensure that breaches of data protection are reported quickly and effectively.
- Update your Data Protection Policy to reflect the new rights and obligations of individuals. Ensure that any internal systems of reporting are outlined and that the data controller and data protection officer are identified, where appropriate.
- All data controllers will need to keep internal records as to how data is processed.
- Ensure that any consent obtained from individuals, whether written, oral or electronic, is recorded effectively via internal systems.
- For businesses which monitor or process large volumes of personal data, it may be worthwhile appointing a data protection officer to monitor the procedures in accordance with the legislative requirements.
- Obtain written consent from the parent/guardian of any child under the age of 16 before processing their personal data
- Ensure that any requests from individuals in relation to the handling of their personal data are dealt with efficiently and pro-actively so as to avoid a breach of the new legislation.
It is imperative that all businesses take steps now to implement the requirements of the new legislation ahead of its implementation into UK law in 2018. For more information or assistance in ensuring your business complies with the changes, please call Samantha Perry or Andrea Evans on 01926 499889