This week’s blog is about the General Data Protection Regulation (GDPR) which will come into force throughout Europe in exactly two months’ time and will herald the biggest change in privacy laws for a generation.
We tend to think of privacy laws as a modern phenomenon, whereas in fact it was the UN Convention on Human Rights in 1948 that first recognised privacy; this was largely to prevent a repeat of the abuse of such rights by Nazi Germany who collected vast amounts of personal data about its citizens for its eugenics policy.
Fast forward to April 2016 when the GDPR was enacted and organisations were given two years to get ready. It’s a ‘Regulation’ (not Regulations) just as previous EU announcements have been a ‘Directive’. The difference is that whereas Directives set out the purpose of the legislation which is to be enacted and then left it to Member States to interpret and write into their laws, a Regulation specifies the rules that must be followed. Hence, for the first time the legislation will be the same for all EEA countries.
This is important because the previous Data Protection Directive issued in 1995, which became the Data Protection Act 1998 (DPA) in the UK, was enacted with great variation throughout Europe. The UK and Ireland were considered to be the ‘gold’ standard and it was the ICO that was mainly responsible for the harmonising Regulation which has emerged as the GDPR.
What this means for many UK organisations is that they will have far less to do to comply with GDPR (assuming they are DPA compliant) than many of our European counterparts.
Although the Regulation is, in itself, binding on EU States and does not require enabling legislation to be passed, there will nevertheless be a Data Protection Act 2018 in the UK, which will encompass the Regulation and will remain in force if the UK leaves the EU.
Another change being introduced by the GDPR is that, unlike the current Act which requires organisations to register with the ICO and pay a fee, after 25 March, all organisations, including businesses of whatever size, charities, churches and public bodies will be automatically covered by the Regulation and will be charged a fee (subject to a few exemptions). Even if your business isn’t currently registered under the DPA it will automatically be covered by the new rules from 25 March, a fact which a lot of small businesses have overlooked.
The Regulation covers personal data held about data subjects (living individuals) and the storage, processing and transfer of that data. Data subjects have enhanced rights in relation to the data held about them including the right to know what that data is. A ‘subject request’, which means a request to disclose the data an organisation holds about a person, must now be replied to within 30 days without charge.
Much of the apparent complexity surrounding GDPR stems from the more onerous requirements to document such matters as the lawful basis for storing personal data, data processing contracts, the transfer of data outside of the EEA (for example to servers in the US), data retention policies and what are known as ‘data impact assessments’.
Organisations are also required to report a data breach, such as unauthorised access to data or loss of data, to the ICO within 72 hours of the breach. This will be challenging for many smaller businesses that may not yet have procedures in place to detect such breaches, particularly those that involve unauthorised access to IT systems. There is no doubt that breaches will occur more regularly than in the past which is partly why the ICO has significantly increased its staff numbers to deal with data breaches.
I could say a lot more about GDPR, but if you would like to learn more about how it may affect your organisation and how to become compliant, we offer a two hour workshop to explain the principles of GDPR and next steps, and a half-day consultation to advise on the actions an organisation should take to become GDPR compliant. To take advantage of either of these services for only a modest investment, email firstname.lastname@example.org.
Despite the additional work GDPR will involve, it isn’t the monster some commentators would have you believe. A little bit of foresight and planning followed by putting sensible processes and systems in place is all that is needed.