The UK's current data protection regime has been in place for almost 20 years but a major overhaul is on the horizon. The Data Protection Act 1998 (DPA) is set to be repealed when the General Data Protection Regulation (GDPR) comes into force in May 2018.
What are the key changes?
The GDPR builds on the DPA but there are significant changes, including:
1. New obligations on data processors:
- Must maintain records of the personal data they hold and their processing activities.
- More legal liability for data protection breaches.
2. The rules relating to consent to process personal data are being tightened up.
3. New rules about the processing of personal data relating to children.
4. Citizens’ rights are being expanded: as well as changes being made to the right of individuals to have access to their personal data, new rights are being introduced:
- To have incorrect personal data rectified.
- To have personal data deleted.
- To restrict the processing of personal data.
- Data portability: to be able to have personal data safely transferred, e.g. between different organisations.
- To object to processing of personal data, e.g. for direct marketing purposes and profiling.
- To object to certain types of automated decisions (the decline of “the computer says no”).
5. New accountability rules mean organisations will need to be able to demonstrate their compliance with the law. This will include maintaining records of their data processing activities, staff training, data protection audits and implementing measures to meet the new “data protection by design” requirements.
6. Some organisations will have to appoint a data protection officer.
7. New rules about reporting data protection breaches.
8. Significant increase in the maximum penalties for breaches (up to €20 million or 4% of global turnover).
Why is it important for UK businesses?
Apart from avoiding fines for breaches, compliance with the rules will be essential if businesses want to retain customer confidence and remain competitive both in the UK and overseas.
Won't the changes be affected by the Brexit vote?
The timing of when the GDPR comes into force and the Brexit negotiations give lawyers plenty to debate - our advice is to proceed on the basis that the GDPR (or similar new domestic legislation) will come into force in 2018. The UK Information Commissioner’s Office recommends changes are made irrespective of the outcome of the Brexit negotiations.
What should businesses be doing now?
This will depend on the nature of your organisation, what sort of personal data you collect, where it is stored, what you do with it and who you share it with. We would recommend that you make an early start and plan for the changes in good time to minimise business disruption and to avoid having to take hasty action at the last minute. We are happy to discuss the processes and policies that you should be implementing to ensure compliance without adversely impacting your business.