General Data Protection Regulation (GDPR)…significant change on the horizon
The GDPR will be applicable in all EU member states from 25 May 2018.
The Government has decided that it will not repeal this law upon Brexit.
On 9 March 2017 the Information Commissioner’s Office (ICO) updated its 2014 paper on big data, artificial intelligence, machine learning and data protection to take account of the upcoming implementation of the GDPR. “Big data” analytics can appear at odds with the key GDPR principles of accountability and transparency, as its distinctive features include the use of algorithms, opacity of processing, tendency to collect “all the data”, the repurposing of data and use of new types of data. The ICO paper identifies key issues and offers guidance on how to minimise the privacy impact of using big data.
View the paper here
What are the main changes introduced by the GDPR?
The GDPR imposes a much stricter regime, with new measures including:
- Expanded territorial scope – non-EU data controllers and processors will be caught by the GDPR if they offer goods or services to EU subjects, or monitor data subjects’ behaviour within the EU.
- Direct obligations imposed on data processors as well as data controllers – for example in implementing organisational measures.
- Higher penalties for non-compliance – there will be two tiers of penalty, with maximum fines of 4% of annual worldwide turnover or €20,000,000, whichever is higher. This is 40x higher than the current regime.
- Increased rights of data subjects – including the “right to be forgotten” and right to data portability.
- Higher standard of consent – where consent is relied upon as the basis for processing data, data controllers will need to show that it was given freely, specifically and unambiguously by the data subject. There are new rules in relation to processing children’s data on the basis of consent.
Steps to take
Policies, systems and procedures should be reviewed in advance of 25 May 2018 to ensure compliance with the stricter regime. Businesses should consider:
- Preparing for data breaches – there is a duty to notify security breaches to data protection authorities and, in some circumstances, to the affected data subjects. Businesses will need to develop policies and rehearse notification.
- Establishing a framework for accountability – the GDPR imposes onerous obligations on data controllers. Policies and cultures should be designed to minimise risk, using impact assessments.
- Incorporating privacy by design – all new processing and/or products should be embedded with privacy principles.
- Analysing and recording the legal basis of personal data use – what data processing does the business undertake and how it is justified?
- Checking privacy notices and policies – these should be transparent, easily accessible and make provision for the enhanced rights of data subjects.
- Considering rights of data subjects – how do these compete with the business’s legitimate interests and what happens if an individual tries to exercise them?
- Reviewing cross-border data transfers – given increased fines, businesses should review grounds for transferring personal data to jurisdictions without adequate data protection regulation.
- Appointing a Data Protection Officer – this will be a requirement for some organisations
- Suppliers should consider whether they have new obligations as a data processor.
The ICO has published the following guidance on the implementation of the GDPR:
The ICO are planning guidance on Contracts and Liability.
If you would like to speak to someone at Druces LLP about what the GDPR could mean for you and your business please contact Chris Evans or Charles Avens.
This news was posted on 15 March 2017.