As head of the commercial team Luisa has a wealth of commercial law experience and advises clients…View Profile View all
The General Data Protection Regulation (GDPR) was adopted in May 2016 with an implementation date of 25 May 2018, but the referendum decision on 23 June 2016 created uncertainty as to whether the UK would in fact be subject to the biggest revision to Europe’s privacy laws in 20 years. Notwithstanding the ongoing debate on when, and indeed whether, the UK will leave the European Union, the government has now stated that come the 25 May 2018, the GDPR will be applicable in the UK. Businesses should therefore begin preparations for this overhaul of privacy laws, to avoid the hefty sanctions of non-compliance.
Data protection law in the UK currently primarily derives from the Data Protection Act 1998 (DPA). Under the DPA, a distinction is drawn between ‘data controllers’ and ‘data processors’ with greater obligations and responsibilities on the former. The definition of both controllers and processors remain broadly the same in the GDPR, but the latter should now be prepared to face a range of new statutory obligations, including:
The GDPR also places more obligations on data controllers, such as obliging them to ensure that their contracts with processors are compliant with the GDPR. Furthermore, controllers will be required toshow how they comply with data protection principles, for example by documenting the decisions which they take about processing activities. They must also notify the ICO immediately upon, and in any event no later than 72 hours after, becoming aware of a personal data breach.
The GDPR also creates new extended rights for data subjects. In particular, the issue of what amounted to consent under the DPA was unclear, but the GDPR stipulates that this must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Appropriate measures will need to be put in place by businesses to ensure such consent is given.
In addition, the data subject must also have the ability to easily withdraw their consent, upon which the data controller must erase the relevant data without undue delay. This is a much more stringent requirement than under the DPA. The GDPR also provides further rights for data subjects, including but not limited to the right to access their data, and to data portability.
The importance of ensuring that appropriate measures and systems are in place to ensure compliance with the GDPR is highlighted by the significant fines and sanctions for businesses that fall foul of the regulation. The powers of the ICO will be extended, for example allowing them to impose fines of up to 4% of annual worldwide turnover and 20 million euros (increased from the current maximum fine of £500,000).
What should businesses do?
Although the GDPR does not come into force until May 2018, you should not under-estimate how long it may take you to achieve compliance. Whilst how you do this will vary depending upon the nature of your business, some key initial issues to consider include:
For further information contact the Commercial team on 0113 220 6270.