Over the last few years, the public has become increasingly concerned about individual privacy on the back of a series of information security scandals and concerns (raised by the former CIA contractor Edward Snowden) that intelligence services at home and abroad may engage in intelligence gathering that is not subject to proper control.
Current data protection laws – notably, the Data Protection Act 1998 in the UK – were conceived before the internet as we know it now existed and are simply no longer fit for purpose.
So, in December, there was an important announcement that Europe had finally agreed the text of a new piece of data protection legislation, the General Data Protection Regulation (GDPR), which will usher in a new regime.
Although it will be a further two years before GDPR takes effect, it will introduce much tougher rules for organisations that handle personal data.
Changes introduced by the GDPR include:
– Consent – the requirements for ‘consent’ are tightened so that ‘clear affirmative action’ will be required for consent to be established. The days of pre-ticked boxes will finally come to an end.
– Transparency – organisations must provide more information to us when they obtain our personal data
to explain in more detail how that data will be used, how long it will be retained and, if it is to be stored outside the European Economic Area (EEA), where it is to be held and how it is to be safeguarded.
– Access – the rules allowing us to access our personal data and to obtain information about how that data is being used are being strengthened and the timescale for responding is being shortened.
– Privacy by design and default – organisations will be obliged to ‘hardwire’ privacy considerations into their day-to-day operations and projects through measures such as minimising the amount of data held and activating privacy-friendly settings in technology.
– Breach notifications – there are express statutory obligations to notify privacy regulators and affected individuals in the event of a data privacy breach where there is risk of harm to individuals.
– Accountability – organisations will have to be able to demonstrate to privacy regulators that they are com- plying with the GDPR on an ongoing basis.
– Sanctions – the maximum fines that can be imposed for serious contraventions are €20m (or 4% of total worldwide turnover for businesses) but lesser contraventions also carry hefty fines.
As a Regulation, the GDPR will have direct effect in EU member states without the need for any national implementing legislation. The intention is to ensure that there is no scope for member states to water down the GDPR and regulators in each state will be expected to toe the line through ‘consistency’ mechanisms, which may curtail the UK regulator’s current light touch regime.
Between now and the GDPR’s introduction in 2018, if the UK opts to remain in the EU, many organisations will need to invest heavily in systems and resource to ensure that they will be compliant. There is much to do.
Grant Campbell is Head of IP, Technology & Outsourcing at Brodies LLP
Related posts
Interviews
Comment
Please mind the gap… or healthcare may fall
Imagine sharing a lengthy train journey with others. From beginning to end, imagine how often you might hear ‘mind the gap’ messages about embarking and disembarking safely. Picture how navigating…
Women Lead: My journey from Dragons’ Den to Silicon Valley
Following her appearance on Dragons’ Den, Sheila Hogan, serial entrepreneur, founder and chief executive of digital legacy vault, Biscuit Tin, shares her experience of her time in the Den and…
Look anywhere – the future is ‘aged tech’. But Scotland needs to be more adventurous
Scottish Care, as the representative body of independent social care providers of care home, care at home and housing support services, has been working over several years with colleagues in…
Women Lead: Engineer turned entrepreneur
We are always fascinated by other people’s stories. It’s how we connect, grow and learn from each other. Until very recently I always felt like I didn’t have a story to tell. Who…
‘Women – together we will change the dynamic in tech’
I was inspired to start a career in technology when personal computers were in their infancy and the internet decades away. My childhood dream of becoming a scientist was shaped by…
It’s time to change the future of tech apprenticeships – and we need your help
In his latest exclusive column for Futurescot, Ross Tuffee, chair of the Skills Development Scotland (SDS) Digital Economy Skills Group, calls on tech employers to get involved in shaping the…
What AI difference a year makes
Amazingly, it’s been one year since the publication of Scotland’s AI Strategy. And what a year it has been. Demanding but rewarding, with good progress made and great foundations laid…
International Women’s Day: It’s time to harness power of women in technology
As we celebrate International Women’s Day, I hope to be part of a future where barriers that prevent women from competing on a level playing field in the work environment…