The Data Protection Act 1998 was enacted to bring British law into line with the EU data protection directive of 1995. Since then, the rate at which technology has advanced has been astronomical, resulting in a surge of innovative ways in which businesses can commercially exploit personal data.
What’s more, the world has become increasingly interconnected, the nature of data exchanges has become more globalised and the legislative approach across EU member states is widely acknowledged as being disjointed.
In response to these changes, and the consequent focus on the importance of protecting personal data, the European Commission has published proposals for the reform and harmonisation of EU data protection law. The Regulation, a supposedly single comprehensive legal framework governing data protection, is expected to overhaul and replace existing data protection legislation.
The Regulation’s objectives remain the same; protecting individuals with regard to the processing of personal data and enabling the free movement of personal data between member states via secure means. However, the effect of the new Regulation will bring significant change to how businesses deal with personal data in practice.
Guidance suggests that the Regulation will swing data protection law in favour of the individual, to ensure their personal data is adequately protected. Any individual data captured by a business will most likely be considered ‘personal data’ and such businesses will therefore need to comply with the Regulation. With the introduction of the Regulation expected over the next year or two, now is the time to consider what steps must be taken to proactively address data protection risks.
How does the Regulation apply to member states in the EU?
Although some, including the UK government, believe reform would be better delivered as a directive, primarily to afford member states some more flexibility and discretion in its implementation, the Regulation would be directly binding on all member states immediately. The Regulation will be self-executing and will not require any implementation measures, meaning there is no two year implementation phase after the date on which it comes into force.
So what’s new?
• Non-EU Companies which offer goods/services to individuals in the EU and/or monitor their behaviour must comply with the Regulation.
• Companies cannot work on the basis of implied consent in certain circumstances. All consent must be explicit, for example by obtaining consent via opt-in tick boxes on websites.
• The extent to which data controllers must collect and process data will be limited to the ‘minimum necessary’ (rather than ‘not excessive’). This is a more robust data minimisation principle.
• Individuals can request that the data controller erase all personal data relating to them (i.e. ‘the right to be forgotten’) and to abstain from further dissemination of that data.
• Data processors are now specifically included within the scope of the Regulation, meaning data subjects have enhanced protection where their data is processed by a party other than the data controller.
• Companies may be fined up to 1m Euros or up to 2 per cent of global turnover for data protection breaches, a significant increase on the maximum fine the ICO can currently impose (£500,000).
• One set of rules will apply across the EU, meaning businesses will not need to deal with member states’ varying rules.
Top tips for compliance
• Conduct regular data protection audits and risk assessments
• Maintain and adhere to a remediation and security plan and appropriate controls and training
• Ensure you have clear internal data protection policies
• For Privacy Policies/Notices:
- Use plain English
- Use language appropriate to the audience
- Transparency about the purpose of collecting data
- Make available before providing goods or services
• Enter into, and vary existing, written agreements with third parties to whom you pass personal data that you control and ensure such agreements are compliant with the Regulation
• Collect and process the minimum data necessary
• Properly inform your users about what will happen to their personal data
• If applicable, identify yourself as a data controller, e.g. provide your email/website address
• Allow users to easily review and change their decisions once you have begun providing goods and/or services
• Remember: Failure to comply with the Regulation comes at a price!
• Take advice
The expected date of the introduction of the Regulation is 2016/2017. Businesses therefore need to start considering, and preparing for, the impending changes to ensure it is data protection compliant on a practical level moving forward.
A failure to do so can lead not only to significant fines, but also damage to business reputation. Implementing new procedures and reviewing those which already exist to ensure compliance are, compared with the enormous costs that may be incurred for non-compliance, relatively small.
Don’t be caught out by the Regulation, start making the necessary changes prior to its introduction.
David McGuire --Outsourcing, Technology and Commercial Team at Wright Hassall LLP