After Theresa May called an election seeking a stronger mandate to negotiate Brexit and was returned as a Prime Minister shorn of her parliamentary majority, we are still no closer to knowing what Brexit means – other than, helpfully, that it means ‘Brexit’. The surprise election result prompted a Queen’s Speech, which traditionally sets out the government’s plans for office, stripped of many of the Conservative Party’s manifesto pledges and heavily focused on the task of exiting the EU. In this context, the announcement that the government is pressing ahead with the introduction of the EU’s General Data Protection Regulation (GDPR) can be read as demonstrative of the UK’s commitment to improving privacy regulation.
The GDPR applies across the EU from the 25 May 2018, when the UK is expected to still be a part of the bloc. This, of course, raises questions over what happens when the UK leaves the EU and EU Regulations automatically fall out of the UK’s statute book. The UK government addresses this in the notes accompanying the speech, suggesting that the GDPR will be codified into UK law via the Repeal Bill.
While privacy professionals will welcome the UK government’s commitment to ensuring it has a data protection framework robust enough to meet the challenges posed by advances in technology, the introduction of the GDPR will require significant effort to ensure organisations meet the higher compliance standards set by the new law. Organisations should take these obligations seriously, as infringements of data protection laws could attract fines that will rise from a maximum of £500,000 under the current regime to the higher of €20 million (approximately £17.7 million) or 4 per cent of the previous year’s total worldwide turnover.
Outlined below are four key areas that organisations should consider when establishing their compliance programmes.
1. Increased scope
The GDPR broadens the scope of data protection law. For the first time, those processing personal data on behalf of other companies, whose liability is purely contractual under the current law, will now be directly liable for their data processing activities. The extraterritorial reach also is extended under the GDPR. Now, any organisation either offering goods or services to people in the EU or monitoring their behaviour will fall under the jurisdiction of the GDPR, irrespective of where in the world they are located.
The GDPR abolishes the requirement for organisations to register their processing activities with the data protection authorities of all EU member states where they process personal data. In its place comes a regime that places the onus on organisations to ensure that they are able to demonstrate that they have in place the internal policies, procedures and safeguards to ensure the protection of personal data. Organisations will also be required to maintain inventories of their processing activities. These records play an important role in monitoring organisations’ compliance.
Although those involved in data protection compliance will welcome the reduction in red tape, the reality is that the GDPR requires far more of organisations not only to get their house in order but to maintain it too.
3. Data protection by design and by default
Previously a best practice recommendation, ‘data protection by design and by default’ becomes mandatory under the GDPR. This will require organisations to consider data protection rights from the very beginning of the development of products, services and applications. Taking into account the particulars of their processing and the associated risks to individuals, data controllers (those organisations determining the purposes and means of the processing) will need to implement appropriate technical and organisational measures to ensure data protection compliance. Suitable measures could range from the encryption and pseudonymisation of personal data to corporate communications highlighting the board’s commitment to data protection.
A number of prescriptive requirements, including the obligation in certain circumstances to appoint a data protection officer or to undertake data protection impact assessments fall under the broad remit of data protection by design and by default, and all should be considered when establishing the appropriate level of safeguards to implement.
4. Enhanced rights for individuals
Under current law, individuals have a range of rights that they can exercise in relation to their personal data, from a right to access the data to the right to have certain data (e.g. inaccurate or unlawful data) erased or rectified. Each of these rights is enhanced under the GDPR, and will require organisations to adapt their information systems to comply with the new requirements.
In addition, the GDPR introduces a new right: the right to data portability. The right relates to information provided by the individual to the data controller where processing is undertaken with consent or under contract. The right is designed to reflect developments in information technologies, and it likely will affect social networks, online stores and service providers, in particular. Where the right is exercised, the individual will be entitled to the information in a structured, commonly-used and machine readable format.
Post-Brexit complications for multinationals
Despite the UK’s commitment to implement the GDPR, the impact of Brexit on the European data protection landscape remains unclear. The country’s data protection regulator, the Information Commissioner, has voiced an appetite to continue to work closely with her European colleagues, but ultimately the dynamic will be determined by the EU. It is almost certain that the UK will no longer have representation on the European Data Protection Board and will cease participating in the EU-wide one-stop-shop regulatory framework.
Although the UK government’s tone is bullish on the strength of its new data protection regime, concerns remain over whether the UK will be deemed by the EU to offer an adequate level of data protection safeguards. If it is not, then unrestricted personal data flows between the EU and UK will be a thing of the past. It may seem counterintuitive that the UK could be viewed as inadequate when the text of its data protection law will be identical to that of the EU, yet political issues such as the UK’s adoption of the Investigatory Powers Act 2016 may jeopardise an adequacy finding. As well as preparing for GDPR compliance, organisations operating in multiple EU member states should keep one eye on developments and consider how they might react to a situation where the UK is not deemed to be adequate.
Aaron P. Simpson, Managing Partner, Hunton and Williams’s London office
Adam Smith, Associate, Hunton and Williams
Image source: Shutterstock/Wright Studio
Read the rest of our GDPR content here (opens in new tab)