What Do The New 2018 EU & UK Data Protection Changes Mean For Your Business?

EU’s General Data Protection Regulation (GDPR) May 2018

From 25 May 2018 the EU’s General Data Protection Regulation (GDPR) will come into force. The GDPR is widely considered to the biggest shakeup in data protection legislation for 20 years. The GDPR is a new law that significantly extends and strengthens the current law and regulatory regime in relation to data privacy and data protection. The GDPR will impose more stringent requirements in a number of areas with a view to giving individuals more control over their personal data and bringing data protection law up-to-date for the digital age.

The new GDPR also lays down some fairly stringent legislation for both large and small businesses (from sole traders to SMEs and large corporates), governing the standards by which personal data is collected, handled, protected and stored.

EU’s General Data Protection Regulation (GDPR) – Key Points For UK Businesses

• Change to definition of ‘personal data’. Under GDPR your IP address, internet cookies and DNA will also be classified as ‘personal data’. This is to reflect changes in technology and the way organisations collect information about people.
• Companies must collect and hold informed, specific and ongoing consent for all types of data processing and direct marketing campaigns.
• Consent cannot be assumed. Before direct marketing is sent, you must have freely given, explicit consent to store and use personal information. Companies will have to gain your ‘explicit’ consent before processing your sensitive personal data. If companies want to collect your personal data, they will have to gain your explicit consent – meaning you will have to proactively tick a box saying you agree. This means default opt-in and pre-selected “tick boxes” will become a thing of the past.
• When and how consent was given should be stored by businesses so it is quick and easy to find if requested to do so.
• New rules will be enforced which will affect how long you can store client information for and what personal information can be collected.
• Consumers will have a “right to be forgotten”, meaning they will be able to make websites like Facebook delete information – including content published in their childhood.
• Businesses will need to provide customers with much more detailed Privacy Notices.
• Businesses will not be permitted to process customer data if they do not have a legal basis for doing do.  The legal basis will need to be adequately documented.
• A principle of “accountability” will apply. Businesses will need to be able to adequately “demonstrate” compliance with the data protection principles.
• The rules regarding Subject Access Requests are changing significantly. Failure to comply with the new rules on Subject Access may result in a very large financial penalty.
• Some organisations will be required to appoint a Data Protection Officer, although many SMEs will be exempt from this.
• In certain circumstances, companies will be required to self-report a data breach to the ICO within 72 hours.

How Does The GDPR Impact The UK? New 2018 UK Data Protection Bill

Whilst the GDPR will apply unilaterally across all EU countries from 25 May 2018, it also requires each EU country to set its own rules on some data protection issues outlined in the Regulation and further provides for the option to do so in other cases.

In June 2017 in the recent Queen’s Speech, the current UK Government announced its intention to implement the GDPR into national law by introducing a new Data Protection Bill. The new 2018 Data Protection Bill will update the UK’s existing Data Protection Act taking into account the new EU GDPR legislation, giving UK citizens more control over their personal information – including what they share on social media. It will replace existing UK data protection legislation on both corporate data and data processing by law enforcement agencies. The Bill will be introduced in Parliament September 5 and 14.

The new UK data protection proposals are part of an overhaul of UK data protection laws drafted under Digital Minister, Matt Hancock. Mr Hancock said the measures are designed to “give consumers the confidence that their data is protected and those who misuse it will be held to account“.

Proposals included in the New 2018 Data Protection Bill will:

• Make it simpler for people to withdraw consent for their personal data to be used
• Let people ask for data to be deleted
• Require firms to obtain “explicit” consent when they process sensitive personal data
• Expand personal data to include IP addresses, DNA and small text files known as cookies
• Let people get hold of the information organisations hold on them much more freely
• Make re-identifying people from anonymised or pseudonymised data a criminal offence

The new GDPR/UK data protection changes are significant and place a stronger burden on UK businesses to protect data. They are likely to take many months to fully implement across an organisation. It is crucial that all businesses take action now in order to adequately prepare for GDPR/the 2018 UK Data Protection Bill.

New UK 2018 Data Protection Bill/GDPR and Brexit

As the UK will still be part of the EU when the GDPR comes into effect, the GDPR will be directly applicable in the UK from 25 May 2018 in the same way as in the other EU Member States until such time as the UK actually leaves the EU.

Thereafter, it is likely that the UK data protection regime will remain closely aligned to the GDPR, at least in the short to medium term. Also, if the UK wishes to continue exchanging data with EU countries, it will have to demonstrate GDPR compliance even after Brexit.

New UK 2018 Data Protection Legislation – Penalties For UK Businesses Failing To Comply

The New GDPR Legislation/UK Data Protection Bill places a stronger burden on UK businesses to protect data and allows for significant fines if they fail to protect information or suffer a breach. The UK ICO (Information Commissioner’s Office) will have the power to impose fines for non-compliance of up to £17m or 4% of global turnover in cases of very serious data breaches. The current maximum fine firms can suffer for breaking data protection laws is £500,000.

However, a spokesperson for the UK’s Information Commissioner’s Office (ICO) commented: “The new law equals bigger fines for getting it wrong but it’s important to recognise the business benefits of getting data protection right. There is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals – and gain a competitive edge.”

Sources

BBC Business News
BBC Technology News
Mirror
Virtual College
The Register
Out-Law
Bytestart
Lexology
ICO