As negotiations over Britain’s future relationship with the EU unfold, businesses will be monitoring the regulatory landscape carefully to see how the arrangements will effect their operations.
As negotiations over Britain’s future relationship with the EU unfold, businesses will be monitoring the regulatory landscape carefully to see how the arrangements will effect their operations. Of all the regulations to watch, data protection will be an interesting one. Not just in terms of the arrangements between the UK and the EU, but also in terms of how we choose to amend our own laws and what this will mean for the way in which we transfer data across EU borders.
In May of this year, the European Commission published details of its new rules governing data protection, moving away from a directive which had caused some confusion as a result of its wide interpretation by member states and opting instead for directly applicable legislation.
The General Data Protection Regulation (GDPR) applies from 25 May 2018 and will include all businesses providing services to or monitoring the behaviour of EU citizens, irrespective of whether or not they are domiciled in a member state. It builds on the principles established under the 1995 Data Protection Directive but also introduces some significant measures in a move to make the new legislation as future-proof as possible.
In addition, the legislation also raises the bar on enforcement, increasing fines from relatively low levels (maximum UK penalty £500,000) to possible maximums of €10,000,000 or 2% of worldwide turnover to €20,000,000 or 4% of worldwide turnover (whichever is higher) depending on the infringement.
Companies bound by the GDPR will need be aware of the new requirements and make appropriate changes to their systems and processes. Among the most significant changes are the rules around consent, notification, privacy by design, the right to erasure, data portability and liability for data processors.
Consent: Businesses must have a valid reason for every instance of data processing and seek proactive consent from the individual providing personal information/data subject. Pre-ticked boxes or any form of deemed consent should become a thing of the past. It will also become a requirement to seek the authorisation of parents or guardians for any consent given by a child.
Notification: Businesses will be required to notify their relevant supervisory authority within 72 hours of any data breach unless that breach is unlikely to compromise the rights and freedoms of the data subjects.
Privacy by design and by default: Businesses will need to be able to demonstrate that appropriate data protection safeguards are considered from the embryonic stages of new product or service design and development. They will also need to show evidence that data privacy safeguards are in place by default and that only appropriate and necessary data is collected and stored.
The right to erasure (‘the right to be forgotten’): Following much publicity around this issue, the EU has chosen to enhance existing rights to have personal data deleted by giving individuals the right to request that their data be erased in certain circumstances, such as if it is no longer needed or if consent has been withdrawn.
Data portability: This is another potentially difficult area of GDPR compliance and as such is an aspect of the legislation to monitor closely. The GDPR gives individuals the right to ask for their data to be provided in a structured, commonly used and machine-readable format, which could prove burdensome.
Liability for data processors: The GDPR introduces direct compliance obligations for data processors and as such they may be liable to fines. So while businesses bound by the GDPR will need to review their practices and procedures to ensure that their data protection systems are adequate and meet the new requirements above, the UK will need to consider its own data protection laws carefully.
As a member state, the UK would have been obliged to comply with the new EU law. Following Brexit, the country will have a choice. On the one hand, some of the measures are considered quite onerous, so Brexit could allow the UK to adopt laws that reduced some of the burden on businesses.
However, as we have seen with data transfers between Europe and the United States, countries wishing to engage in trans-border data transfers will need to demonstrate that their data security laws are sufficiently robust to meet the EU’s requirements of adequate protection.
The suspension last year of the Safe Harbour data protection arrangement between the US and the EU has created an even greater burden on corporates who are now required to resort to other methods of ensuring protection, such as implementing binding corporate rules or incorporating model clauses to transfer data across EU/US borders.
If the UK chose to adopt data protection laws that the EU deemed inadequate, rather than relieving the burden on businesses, it would increase them considerately as the country could find itself in the same position as the US, needing to negotiate a reciprocal agreement that works for both sides, with businesses needing to implement interim arrangements while the finer details are worked out.
The ICO has commented on the implications of the referendum result, arguing that to protect the growing digital economy, international consistency around data protection laws and rights will be crucial to businesses, organisations, consumers and citizens. It will be urging the British government to continue with data protection reforms. UK businesses will need to monitor the outcomes of these discussions carefully.
In the meantime, many UK companies will be bound by the GDPR regardless. Others would be advised to enhance their data protection measures as part of good corporate governance. Organisations should start with a systematic risk assessment of current practice and procedures to establish how their data is obtained, stored and transferred to understand if it is properly protected. Tools such as GoodCorporation’s Data Protection Framework can assist with this process, providing a gap analysis that identifies strengths and weaknesses and producing an action plan that shows what needs to be put in place.
Sally McGreachie is head of media relations and corporate communications at GoodCorporation.