Over the last few years, the public has become increasingly concerned about individual privacy on the back of a series of information security scandals and concerns (raised by the former CIA contractor Edward Snowden) that intelligence services at home and abroad may engage in intelligence gathering that is not subject to proper control.
Current data protection laws – notably, the Data Protection Act 1998 in the UK – were conceived before the internet as we know it now existed and are simply no longer fit for purpose.
So, in December, there was an important announcement that Europe had finally agreed the text of a new piece of data protection legislation, the General Data Protection Regulation (GDPR), which will usher in a new regime.
Although it will be a further two years before GDPR takes effect, it will introduce much tougher rules for organisations that handle personal data.
Changes introduced by the GDPR include:
– Consent – the requirements for ‘consent’ are tightened so that ‘clear affirmative action’ will be required for consent to be established. The days of pre-ticked boxes will finally come to an end.
– Transparency – organisations must provide more information to us when they obtain our personal data
to explain in more detail how that data will be used, how long it will be retained and, if it is to be stored outside the European Economic Area (EEA), where it is to be held and how it is to be safeguarded.
– Access – the rules allowing us to access our personal data and to obtain information about how that data is being used are being strengthened and the timescale for responding is being shortened.
– Privacy by design and default – organisations will be obliged to ‘hardwire’ privacy considerations into their day-to-day operations and projects through measures such as minimising the amount of data held and activating privacy-friendly settings in technology.
– Breach notifications – there are express statutory obligations to notify privacy regulators and affected individuals in the event of a data privacy breach where there is risk of harm to individuals.
– Accountability – organisations will have to be able to demonstrate to privacy regulators that they are com- plying with the GDPR on an ongoing basis.
– Sanctions – the maximum fines that can be imposed for serious contraventions are €20m (or 4% of total worldwide turnover for businesses) but lesser contraventions also carry hefty fines.
As a Regulation, the GDPR will have direct effect in EU member states without the need for any national implementing legislation. The intention is to ensure that there is no scope for member states to water down the GDPR and regulators in each state will be expected to toe the line through ‘consistency’ mechanisms, which may curtail the UK regulator’s current light touch regime.
Between now and the GDPR’s introduction in 2018, if the UK opts to remain in the EU, many organisations will need to invest heavily in systems and resource to ensure that they will be compliant. There is much to do.
Grant Campbell is Head of IP, Technology & Outsourcing at Brodies LLP
