Although the GDPR is EU legislation, those organisations hoping to hide behind Brexit will need to rethink their strategy – unlike EU directives, the GDPR’s regulations will come into effect immediately, meaning that as of May 2018, UK businesses will have to abide by the rules. With only one year to go to prepare for the incoming data protection rules, business must act now or face substantial financial penalties. This new legislation will overhaul the current legal framework and will see the law get tougher on transparency, the collection of data, and the role of consent.
According to technology giant, IBM, more data has been created in the past two years than ever before, with an estimated 2.5 quintillion bytes shared every day. People are posting to social media, shopping online, and browsing the internet like never before and consequently, sharing their personal information with multiple companies all over the world.
With such vast amounts of data growing at an unprecedented rate, protection of personal information is getting stricter. Trust and integrity are important to individuals who share their details and it is essential that businesses respect this by using data appropriately and transparently. This is why, as of May 2018, the Data Protection Act 1998 (DPA) will be replaced with the European-wide General Data Protection Regulation (GDPR).
In addition, the GDPR has a wider territorial impact than the DPA. The legislation applies to any business which offers goods or services to, or monitors the behaviour of, individuals residing in the Union, regardless of the location of the business. Therefore, even those businesses outside of the EU – including a post-Brexit Britain – will have to set up robust processes and policies if they wish to sell to or monitor consumers living in EU states.
Transparency poses one of the biggest changes that the GDPR will enforce. Whilst this element had implicit requirements in the Data Protection Act 1998, its significance will be elevated with the new legislation. In order to be transparent, businesses have to be thoroughly open with individuals about how data is collected and used. It is therefore critical that organisations review the ways in which they gather personal information, the legal basis for processing, their policies on data retention, and how they share the data with third parties.
Firms will also have to demonstrate that they are compliant with the new law when it comes to accountability. It will be imperative that businesses update procedures and policies by keeping meticulous records of documents, carrying out Privacy Impact Assessments, and implementing Privacy by Design and Default in all activities. Demonstrating accountability will demand a greater input of time and energy from firms, to make certain that they are minimising any potential risks in breaching the law. Such onerous procedures will place a significantly greater burden on the data capabilities of a business, and put increased pressure on information offers and engineering teams that are already in short supply.
Consent is another aspect that has been changed substantially under the new regime. Consent will need to be explicit, specific, unconditional and capable of being easily withdrawn, so businesses can no longer rely on silence, inactivity, default settings or pre-ticked boxes as the basis for permission. According to the ICO’s draft guidance, organisations will now have to identify up front any third parties who are going to rely on consent to use personal information, meaning those businesses will no longer be able to rely on the ‘we may pass your data to partners of our choice’ statement. In light of these changes, businesses that rely on consent as the basis of any processing should review the suitability of this approach and see whether there is another lawful basis, such as the use of legitimate business interest, that can be used instead.
Although the GDPR will come into force in just under a year, it is crucial that businesses do not dwell and start acting now to ensure they are ready for the new changes. Failing to comply can have significant financial consequences – breaches will cost companies up to 4 per cent of their annual turnover or €20 million, whichever is higher. Taking action now will ensure that businesses safeguard themselves from not only the increased fines but the devastating reputational damage a data breach can have on a firm.
By Andrew Hartshorn, a partner in the information law team at Shakespeare Martineau.
JOIN US ON 12TH OCTOBER 2017 AT COMPLIANCE BRIEFING: LONDON - LEARN MORE HERE
COMPLIANCE BRIEFING: LONDON
12 OCTOBER 2017
COUNTY HALL, LONDON