The general data protection regulation

Earlier this year the European Union approved the General Data Protection Regulation (“GDPR”) as a replacement for the current UK and EU data protection regime. This reform will affect every business and other organisation which operates in the UK, regardless of size or industry.

The GDPR will ensure that individuals’ personal data is better protected. However, in order to do so it will impose more onerous obligations on businesses together with harsher penalties (breaches of the GDPR can lead to fines of 20m Euros or 4% of global turnover).

This article, which is the first in a series by Freeths on the GDPR, will provide an introduction to the new law. We will briefly explain what the GDPR is, why it is being introduced, who it will affect, some of its general implications, the timetable and what (if any) impact a Brexit would have. Finally, we will suggest  a few simple steps your organisation can take to begin preparing for the GDPR.

The rationale for introducing the GDPR

Data protection law across the EEA (i.e. the EU Member States, plus Norway, Iceland and Lichtenstein) is currently based upon a series of national laws each which implement the EU Data Protection Directive 95/46/EC (the “1995 Directive”). The UK has done this using the Data Protection Act 1998 (“DPA”).

Because the existing data protection regime is governed by the national laws of the various Member States, even though all the laws are based on the 1995 Directive, the law as whole is fragmented and differs from country to country.

The lack of harmonisation creates problems. For instance, whenever data is transferred from one country to another it will be subject to different laws which are enforced by different regulators. This creates uncertainty for businesses and individuals alike.

Another problem with the 1995 Directive is its age. The law is now over 20 years old and, though it has evolved somewhat through court judgments and other legislation, it has not kept pace with technological developments.

The role of personal data in society, commerce and the economy has changed enormously over the past twenty years and the law needs to adapt to this. By way of illustration, the 1995 Directive was agreed years before Facebook, Twitter or even Google existed. In fact, it was being negotiated at around the same time Bill Gates said Microsoft was “not interested” in the Internet.

The purpose of the GDPR

The GDPR will result in a new data protection regime and provide better protection for the fundamental rights and freedoms of individuals in relation to their personal data.

However, this will increase the burden of compliance for most organisations, and the potential fines which can be imposed for data breaches law will increase significantly (from £500,0000 to up to 20m Euros or 4% of global turnover).

There will be some benefits though and, by harmonising and unifying the law, the GDPR will remove obstacles and complexities when transferring data elsewhere within the EEA.

Furthermore, a large part of compliance is common sense and good practice when handling personal data. Those organisations which comply with the existing law and take the time to properly prepare for the GDPR will not only avoid significant fines and reputational damage, but will find that their data handling, information security, internal administrative processes (like staffing) and contractual relationships are more robust and reliable as a result.

Who will the GDPR apply to?

The vast majority of businesses (whether companies, partnerships or individual traders) and other organisations (including charities and public authorities) will be affected by the GDPR and data protection will need to be considered in relation to almost every aspect of an organisation’s operations.

The GDPR will have worldwide application, so organisations based outside the EEA which do business with EU citizens or process their data (for example, online stores operating out of the USA) will be subject to it, though whether or not it will be enforced against organisations with no EU presence remains to be seen.

What are the implications of the GDPR

The GDPR is not designed to unnecessarily interfere with business or make compliance impossible. Its purpose is to ensure that the individuals and their personal data are adequately protected and the new law will, in most respects, be an evolution and development of the existing one.

As a result of numerous high profile data breaches, large organisations are starting to recognise that personal data which is held improperly, unnecessarily or without adequate protections, represents more of a liability than an asset. As the majority of the GDPR is based on the 1995 Directive those organisations which have managed to comply with the existing law should find transitioning to the new a relatively smooth and simple process.

The most significant change to the law made by the GDPR is that, from 2018, data processors will also be directly liable to regulators and data subjects. This removes one of the main weaknesses of the 1995 Directive and the DPA, which is that the law only regulates ‘controllers’ (i.e. persons in charge of how the data is used, stored, transmitted etc.).

Under the GDPR, ‘processors’ (i.e. persons who act on the controller’s instructions) can be pursued in the event of a breach. For controllers this will be a welcome change as, in the event of a breach, there may now be other persons in the firing line.

Of course processor liability won’t relieve controllers of responsibility for their data, and they must still be careful when selecting processors and always ensure proper contracts are in place. However, processors will also need to know their controllers have complied with the GDPR (for example, when it comes to obtaining consent or having other legitimate grounds for processing). As a result, each party will be looking for protections (possibly in the form of an indemnity) from the other in the event of a breach.

Finally, because the GDPR is a‘Regulation’, as opposed to an EU Directive, it applies directly and (largely) uniformly across the EU. This should, to a large extent, result in a harmonised data protection regime across Europe.

Fines

The GDPR will introduce a new system of tiered fines which can range up to €100m or 4% of world-wide turnover.

Whilst the GDPR will result in more severe penalties, organisations based over here can take some comfort from the fact that the UK regulator, the Information Commissioner’s Office (or “ICO”), has traditionally preferred to help organisations towards compliance rather than impose penalties. The current UK data protection regime allows the ICO to impose fines of up to £500,000; however, the highest penalty imposed for a data breach has been £320,000. Significant fines tend to be a last resort and are usually for particularly serious, negligent or repetitive breaches.

That said, the GDPR will also abolish the ICO’s current funding stream (notification fees for those persons acquiring a place on the register of data controllers), and its enforcement approach may change if it ends up relying on fines for funding. Other factors that might influence penalties are the introduction of a new Information Commissioner, Elizabeth Denham, in 2016 and the harmonisation of enforcement across the EU (including the setting up of a European Data Protection Board).

Finally, in almost all data breaches, fines tend to be a small amount of the overall harm a business suffers. Much more significant are the reputational damage, lost business and remedial costs involved.

Other changes

The implementation GDPR will result in many other changes to the UK data protection regime. These include:

1. the abolishment of the requirement that data controller notify (i.e. register with) the ICO of their data processing activities;
2. a new requirement to notify the authorities within 72 hours (and, in some cases also promptly notify individual data subjects) of a data breach
3. data subjects being able complain to any regulator – the ‘one stop shop’ (in reality the regulator of controller’s main establishment will likely remain in overall control);
4. the establishment of a new European Data Protection Board which will supervise all the national data protection regulators; and
5. better-defined rights for data subjects, including the right to have personal data erased or deleted (also known as “right to be forgotten”) and a clear right to withdraw consent to processing.

Timetable and Brexit

The GDPR was proposed in 2012, published in the EU’s Official Journal in May 2016, and will come into force on 25 May 2018 following a two-year implementation period. It is reportedly the most lobbied piece of legislation passed by the EU.

It is now inevitable that the GDPR will enter into force in every EEA Member State. However, what would happen to the GDPR’s implementation in the UK if we decided to leave the EU in the forthcoming referendum?

The answer is, probably not much. The UK would no longer be part of the EU and (in order for data to keep flowing) it would therefore have to either join the EEA (and sign the GDPR), or else “ensure adequate protection” in order to either enter into a safe-harbor style agreement with the EU or earn a place on the EU Commission’s ‘white list’ of safe countries.

However, ensuring ‘adequate protection’ will require equivalent protection and may result in the UK having the compliance burdens of the GDPR without the benefits (such as harmonised enforcement and the opportunity to shape data protection policy through involvement in bodies like the EDBP).

There is a third option (of not implementing the GDPR or an equivalent level of protection) and becoming a data protection pariah, though for obvious political and economic reasons, this is very unlikely.

What to do next

Organisations need to be preparing now for the implementation of the GDPR. Data protection and security is a serious concern for all organisations and, in business, needs to be dealt with at board level. Delegating fragments of responsibility to HR, IT or other departments makes a data breach and regulatory action much more likely.

The ICO has published guidance for businesses to help them ready themselves. However, fully complying with the current law is the best way to prepare for the GDPR. If you’re not sure whether or not your organisation has complied with all the requirements of the Data Protection Act 1998 then you should seek advice from a lawyer with expertise in data protection as, if you don’t know what the law is, there’s a good chance you may be in breach of it.

Once this has been done you will then need to ensure your business understands the proposed changes and has appropriate procedures and processes in place (for example, in relation to security, data retention, staff training, contract clauses, supply chain management).

Freeths can help businesses comply with the law and prepare for the GDPR in a variety of ways, from in-house data protection training and contract reviews through to drafting Model Clauses for transfers outside the EEA and data protection policies.

---

The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.