Data protection rules are changing: Here’s what the aftermarket needs to know
Data protection law has recently been updated by Europe and will be in place in less than two years. Despite the Brexit vote, businesses – large and small – need to note the changes as the penalties for breaches will be severe and adjusting to the new rules will take time.
The European Union’s General Data Protection Regulation (GDPR) was finalised at the end of April 2016 after four years of discussion, disagreement and negotiation and will directly affect all member states from May 2018. Firms have no choice – the GDPR is not going away.
But a question arises: Now that we’re scheduled to leave the EU, will the GDPR still matter? The answer is yes – it will. The Secretary of State for Culture, Media and Sport, Karen Bradley, before a House of Commons committee at the end of October 2016, formally stated that: “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR.”
TAKE THE LAW SERIOUSLY
The GDPR is not a monster but it needs to be taken seriously. Changes will be required, and if the required changes are not made then firms risk considerable fines and reputational damage. Indeed, under the GDPR, those organisations that breach the law could face a fine of up to four percent of annual worldwide turnover or €20m (whichever is the greater).
These penalties do seem geared to the larger firm, but a quick search of the Information Commissioners Office (ICO) website – the UK enforcer of data protection law – shows that organisations of all sizes are being taken to task.
The present data protection regime, under the Data Protection Act 1998 (DPA), protects a person’s rights in respect of their personal data and is built upon eight data protection principles. These are all common sense and require that personal data is processed fairly and lawfully; obtained and used for specified and lawful purposes only; adequate, relevant and not excessive in relation to their purposes; accurate and up-to-date; not kept for longer than is necessary; processed in accordance with the individual’s rights; kept secure; and not transferred outside of the European Economic Area without adequate protection.
Apart from these there are other points to note about the present law. The first is that there are extra obligations when handling sensitive personal data such as information about ethnic origin, sexual life, trade union membership etc. Further, individuals have a right via a Subject Access Request (SAR) to find out what information is held about them.
Rights of the individual
Individuals have a right to know what is going to be done with their data, and who it is going to be shared with. A website privacy notice can tell people about this. Under the GDPR there is additional information which must be provided: Firms will need to tell data subjects – users – the legal basis for processing their data, the data retention period, and of their right to complain to the ICO. There is also a requirement that the privacy notice is concise, easy to understand and in clear language.
The GDPR confers new rights such as having inaccuracies corrected, to have information erased, to prevent direct marketing and a right to data portability (because of this firms will have to provide data electronically).
Presently, firms have 40 days to respond to a subject access request but under the GDPR this will drop down to a month. Refusing a request will require a firm to have appropriate policies and procedures in place. There will also be obligations to provide additional information such as data retention periods and the right to have inaccurate data corrected.
Consent for data processing
For many the most challenging area under the DPA is that of “consent”; that consent to use personal data cannot be inferred from silence, pre-ticked boxes or inactivity. The GDPR requires that consent must be freely given, specific, informed and unambiguous. If a firm is going to rely upon ‘implicit consent’ then it must be ready to deal with a challenge as to how unambiguous the consent was.
There is presently no general obligation to report any data breaches but the GDPR radically changes this and creates an obligation to report data protection breaches which could cause an individual harm within 72 hours. Firms should consider how they would deal with this new obligation. They should be asking: How secure are their systems? What training do staff have? Is personal data encrypted? What breaches might result in an obligation to report? How would the harm to individuals be mitigated? Do the procedures in place around data breaches allow these obligations to be met?”
One solution to compliance is obvious – appointing a capable, interested person with the responsibility for ensuring that the obligations are met.
The GDPR is a real and present threat to firms and organisations of all sizes and the financial consequences for ignoring the new rules are severe. However, those that plan and who choose to follow their obligations should have little to worry about.