It seems that big changes to data protection as we know it are on their way to the UK as after several years of preparation and lobbying, the European Parliament has finally adopted the new European General Data Protection Regulation (GDPR) [Directive 95/46/EC].
So what is the GDPR you ask?
Well it will officially replace the basis behind the Data Protection Act 1998 and will become law in all EU member states from May 2018. The GDPR will also affect any businesses who process the personal data of EU citizens, even if they are based outside of the EU.
The document lays out compliance measures that each member state will need to meet before they take over for good in the summer of 2018 but what are the main changes we can expect from the GDPR?
One of the biggest relates to data responsibility as under the GDPR, both Data Controllers and Data Processors will be responsible for protecting their data.
All organisations will be obligated to have a full and firm understanding of what data they acquire, hold and process – and the legal basis for that data. Data protection measures must be integrated into business processes, in order to respect the rights of data subjects.
Most organisations will have to appoint a data protection officer, particularly those which process large amounts of sensitive personal data.
Additionally, the GDPR introduces a new obligation to notify data breaches to the relevant authorities within 72 hours of their first discovery.
At present the Information Commissioner can, in certain circumstances, impose financial penalties of up to £500,000. Under the new rules, non-compliance fines for failures to report breaches will be tiered – with a top tier fine up to a staggering 4 per cent of global annual turnover from late-reporting firms.
Firms may need to increase their privacy, in particular given the cyber-threats that exist at present. Policies and procedures for handling security breaches may need to be reconsidered and updated with all of this completed before the implementation date.
This news comes at a time when a London HIV clinic that leaked data on 781 of its patients has been fined £180,000.
The Information Commissioner’s Office (ICO) said the breach was “likely to have caused substantial distress” to those affected by the leak. Under data protection rules, the breach was deemed as sensitive and the organisation issued such a hefty fine as a result. Under the new regulations, could the fine have been even higher?
Organisations may require a data protection officer if they don’t have one already, and assess how and for what purpose they currently hold and/or process data. It may also be worth starting to review and update existing contracts in respect of parties’ data protection obligations.
Processing personal data is fundamental to the work of a solicitor. The Data Protection Act 1998 (DPA) regulates the processing of information relating to individuals at present. Solicitors should already be well versed with the DPA but the clock is ticking on preparing for the GDPR.