With just eight months to go before significant changes to the data protection rules come into force across Europe, many UK businesses are still not up to speed with the way they’ll need to change their working practices.
For those who fail to organise themselves in time, Information Commissioner Elizabeth Denham is warning of potential trouble ahead: “If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance.”
On the other hand, being able to demonstrate compliance with the new regulations will make your consumers feel more comfortable about what happens to their data and boost their trust in your business.
Why is the law changing?
Current data protection legislation in the EU is based on the 1995 Data Protection Directive. This was implemented in the UK by the Data Protection Act 1998. It goes without saying that rules drawn up over 20 years ago, when the internet was in its infancy, needed a radical overhaul to cater for the volume of data now being processed and the myriad uses to which that data is put.
European lawmakers first proposed a comprehensive reform of data protection rules in January 2012. After four years of hard work and negotiation, the resulting General Data Protection Regulation (GDPR) finally entered into force on 4 May 2016. Data processing businesses had two years to adapt their practices before the law becomes directly applicable in all member states from 25 May 2018.
How is the UK affected?
The UK will still be a member of the EU when the GDPR comes into force next year, and British businesses will need to be compliant. As the GDPR is a Regulation (not a Directive), it will apply automatically to the UK without the need to draw up new legislation.
Earlier this year, in the Queen’s Speech, the UK Government announced a new Data Protection Bill with a view to updating and strengthening data protection laws in this country. The Bill is expected to be introduced when Parliament returns from summer recess in early September. It will bring the EU Regulation into UK law and replace the existing Data Protection Act. As and when the UK leaves the EU, the new Data Protection Act will replace the GDPR.
The GDPR in a nutshell
- Closely defines “personal data” – essentially any information that relates an identified or identifiable person.
- Requires consent to be freely given, specific, informed and an unambiguous indication of the individual’s wishes. There must be some a positive opt-in: consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and there must be simple ways for people to withdraw consent.
- Defines what can be done with personal information.
- Gives a person the right to know what information is held about them.
- Allows a person to request that information about them be erased and that they be ‘forgotten’ - unless there is a reason not to do this.
- Stipulates that new systems must have protection designed into them (‘privacy by design’). Access to data must be strictly controlled and only given when required (‘privacy by default’).
- If data is lost, stolen or accessed without authority, the authorities must be notified. Those whose data has been accessed may also need to be notified.
- Data cannot be used for anything other than the reason given at the time of collection.
- In the case of decisions made on automated profiling (eg analysing or predicting aspects of a person’s performance at work, behaviour, reliability or personal preferences), individuals have the right to obtain human intervention, express their point of view, obtain an explanation of the decision and challenge it.
- Data must be securely deleted after it is no longer needed.
- Organisations in breach of the Regulation can be fined up to €20 million or 4% of their global turnover – whichever is higher.
Useful links
- ICO guidelines: Getting ready for the GDPR, GDPR self assessment toolkit and GDPR: 12 steps to take now (PDF)
- Regulation (EU) 2016/679 (General Data Protection Regulation)
- European Commission Fact Sheet 24 May 2017: Questions and Answers – Data protection reform package
- If you are a recruiter and a member of the Recruitment & Employment Confederation (REC), their GDPR section has a range of useful resources. The REC also publish this publicly-available infographic.