Data Protection – major changes are coming
Here’s our quick guide to what’s happening, when and why the changes are important to UK business – together with our recommendations as to what to do now.
What’s happening and when?
The UK’s current data protection regime has been in place for almost 20 years but a major overhaul is on the horizon. The Data Protection Act 1998 (DPA) is set to be repealed when the General Data Protection Regulation (GDPR) comes into force in May 2018.
What are the key changes?
The GDPR builds on the DPA but there are a number of significant changes, including:
1 New obligations on data processors:
- Must maintain records of the personal data they hold and their processing activities.
- More legal liability for data protection breaches.
2 The rules relating to consent to process personal data are being tightened up.
3 New rules about the processing of personal data relating to children.
4 Citizens’ rights are being expanded: As well as the some changes being made to the right of individuals to have access to their personal data, new rights are being introduced:
- To have incorrect personal data rectified.
- To have personal data deleted.
- To restrict the processing of personal data.
- Data portability: to be able to have personal data safely transferred, e.g. between different organisations.
- To object to processing of personal data, e.g. for direct marketing purposes and profiling.
- To object to certain types of automated decisions (the decline of “the computer says no”).
5 New rules about accountability in relation to personal data, meaning organisations will need to be able to demonstrate their compliance with the law. This will include maintaining records of their data processing activities, as well as staff training, data protection audits and implementing measures to meet the new “data protection by design” requirements.
6 Some organisations will have to appoint a data protection officer.
7 New rules about reporting data protection breaches.
8 Significant increase in the maximum penalties for breaches (up to €20 million or 4% of global turnover).
Why is it important for UK businesses?
Apart from avoiding fines for breaches, compliance with the rules will be essential if businesses want to retain customer confidence and remain competitive both in the UK and overseas.
Won’t the changes be affected by the Brexit vote?
The interplay between when the GDPR comes into force (May 2018) and the timing of the Brexit negotiations gives lawyers plenty to debate – but our advice is to proceed on the basis that the GDPR (or similar new domestic legislation) will come into force in 2018. The UK Information Commissioner’s Office (ICO) recommends changes are made irrespective of the outcome of the Brexit negotiations.
What should businesses be doing now?
This will depend on the nature of your organisation, what sort of personal data you collect, where it is stored, what you do with it and who you share it with.
The first thing is don’t panic – as the ICO says, “if you are complying properly with the current law, then you have a strong starting point to build from. But there are important new elements and some things will need to be done differently.”
Second, make an early start: plan for the changes in good time to minimise business disruption and to avoid having to take hasty action at the last minute.
The ICO’s website contains a lot of useful general information to help you get started.
If you would like guidance about what to do to help your individual organisation get ready for the GDPR, please contact FSP’s commercial & technology team.