Countdown to 2018: companies are advised to keep a keen eye on the new EU data protection laws
Over the last few years, the public has become increasingly concerned about individual privacy on the back of a series of information security scandals and concerns (raised by the former CIA contractor Edward Snowden) that intelligence services at home and abroad may engage in intelligence gathering that is not subject to proper control.
Current data protection laws – notably, the Data Protection Act 1998 in the UK – were conceived before the internet as we know it now existed and are simply no longer fit for purpose.
So, in December, there was an important announcement that Europe had finally agreed the text of a new piece of data protection legislation, the General Data Protection Regulation (GDPR), which will usher in a new regime.
Although it will be a further two years before GDPR takes effect, it will introduce much tougher rules for organisations that handle personal data.
Changes introduced by the GDPR include:
– Consent – the requirements for ‘consent’ are tightened so that ‘clear affirmative action’ will be required for consent to be established. The days of pre-ticked boxes will finally come to an end.
– Transparency – organisations must provide more information to us when they obtain our personal data
to explain in more detail how that data will be used, how long it will be retained and, if it is to be stored outside the European Economic Area (EEA), where it is to be held and how it is to be safeguarded.
– Access – the rules allowing us to access our personal data and to obtain information about how that data is being used are being strengthened and the timescale for responding is being shortened.
– Privacy by design and default – organisations will be obliged to ‘hardwire’ privacy considerations into their day-to-day operations and projects through measures such as minimising the amount of data held and activating privacy-friendly settings in technology.
– Breach notifications – there are express statutory obligations to notify privacy regulators and affected individuals in the event of a data privacy breach where there is risk of harm to individuals.
– Accountability – organisations will have to be able to demonstrate to privacy regulators that they are com- plying with the GDPR on an ongoing basis.
– Sanctions – the maximum fines that can be imposed for serious contraventions are €20m (or 4% of total worldwide turnover for businesses) but lesser contraventions also carry hefty fines.
As a Regulation, the GDPR will have direct effect in EU member states without the need for any national implementing legislation. The intention is to ensure that there is no scope for member states to water down the GDPR and regulators in each state will be expected to toe the line through ‘consistency’ mechanisms, which may curtail the UK regulator’s current light touch regime.
Between now and the GDPR’s introduction in 2018, if the UK opts to remain in the EU, many organisations will need to invest heavily in systems and resource to ensure that they will be compliant. There is much to do.
Grant Campbell is Head of IP, Technology & Outsourcing at Brodies LLP
The pandemic has taught me how to share more – and I feel a better leader for it
As a young professional starting out in the tech sector 30 years ago, I thrived on the fast pace,constant change and demanding workload. I lived in London, Singapore and Australia…
We need to shout about our successes. Liz Fletcher on celebrating women in biotech
Throughout my career in biotechnology and life sciences, I have seen many women leading ground-breaking research studies in their fields of expertise. Yet, and I include myself in this, we…
Getting the best out of patient data is key to unlocking future health benefits in Scotland
It is important that clinicians’ voices are heard in the consultation around Scotland’s new health and care data strategy, which closes this week (12 August). Busy GPs like myself are the trusted…
How motherhood helped me be a better leader
Consider this an open letter to anyone I have worked with before I became a mother and before I fully understood how being a parent is actually a prized asset…
‘We cannot achieve our goals without entrepreneurs’ – Kate Forbes on vision for new ‘tech scaler’ network
From the very start of my ministerial career, I have had responsibility for the Scottish tech sector – and I can still say what I have said from the start,…
Finding a role in cyber was ‘tough’ for Cheryl Torano. Now she’s determined to help other women join an under-represented industry
When I decided to upskill to change careers at the age of 30 and dive into the digital world, I knew I would be starting out at the bottom of…
Why innovation and marketing are the perfect partners to make changes that matter￼
With the rapid evolution of traditional marketing and the appearance of digital marketing, technology and innovation has become part of any marketer’s life without the need of working for a…
Transitioning to a four-day week – CEO’s vow to strike a healthier balance in the workplace
I came to Scotland nearly 20 years ago from Ireland, with no contacts but a lot of determination. While Ireland will always be my home, Scotland has given me amazing…