GDPR becomes enforceable on 25 May 2018 and, since Brexit will happen after that, UK businesses will have to comply. What do you need to know?
It’s already gained much coverage. The largest fines – the higher of 4% of annual global turnover or €20m – will be for breaches of the fundamental obligations, such as obtaining proper consent or international transfers. Other breaches will still attract fines of 2% of annual global turnover or €10m. Some have told me that it’s currently cheaper to pay the ICO fine than pay for proper measures to avoid data breaches in the first place. After all, the ICO’s highest fine ever was £400k against TalkTalk. GDPR will put a stop to that.
Data protection by default
Companies will have to ensure they approach data protection by “design and default”. In essence, this means having clear processes for collecting just the data they need, obtaining proper consent and enabling the easy return or deletion of data. They will also need to keep proper data processing records. There is just over a year left to address this and it might mean companies having to adopt new systems and processes.
Tighter rules around consent
Consent is the quick way to ensure compliance but GDPR tightens up the rules. From 2018, consent must be given by a “clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement”. It must be “explicit” in relation to use of what is currently called sensitive data. Also, it must cover all the proposed processing and will not be regarded as freely given if there was no genuine or free choice. Finally, data subjects are allowed to withdraw consent at any time. This will mean companies must pay more attention to how they obtain consent. They should review their consent statements, tick boxes and privacy policies.
Expansion of individuals’ rights
GDPR hands more rights to individuals. They will still have the right to have access to the data held about them – the “subject access request” – and have this corrected or deleted and object to direct marketing. They will also have the full right to be forgotten / right to erasure as previewed in the Google vs Spain case. The controller will have to act “without undue delay” to delete data where, for example, they withdraw consent and take reasonable steps to inform third parties of this request. They will also have a “data portability” right to receive their data “structured, commonly used and machine-readable format” or have it sent to another controller “without hindrance”. Companies should be prepared to tackle the administrative and technical burdens that this will place on them. It might also lead to more standardised or interoperable data collection and formats.
Data Protection Officer
There was much debate over whether all businesses should appoint a dedicated Data Protection Officer. The final text waters this down. German companies need to have a DPO and this will probably remain. GDPR doesn’t require the average business to appoint one. It only applies to public authorities or businesses who regularly and systematically monitor data on a large scale. Having someone with overall responsibility for data compliance is probably a sensible step, even if someone takes this on as an extra role or it is outsourced.
Mandatory breach notification
At present, there is no all-encompassing obligation to notify the ICO of data breaches. GDPR will shift this balance from the data controller to the ICO and the data subject. Unless the breach is fairly minor, controllers will have to notify “without undue delay” and will have to explain any delay beyond 72 hours. Controllers should adopt processes now to ensure compliance.
International personal data transfers
GDPR doesn’t radically alter international personal data transfers. If you rely upon consent to authorise your data transfers you will have to inform your data subject of the possible risks. Of course, there won’t be many risks if you have appropriate measures in place.
Data processing in contracts
With all these changes going through under GDPR, particularly the fines, I expect businesses to review their customer/supplier contracts. It’s one thing to make sure your house is in order, invest in new systems and processes and appoint a data compliance manager, but is the same true for your customer or supplier? You won’t want to be fined because of what they’ve done. Your contract with them needs to offset those risks.