One of the lead stories on BBC 1 Breakfast this morning was about the overhaul of UK data protection laws.
British citizens will soon have more rights to control what is done with personal information about them. The UK data protection watchdog is also to get new powers and will be able to levy higher fines.
All this is true and has been in the pipeline for sometime. Notwithstanding the result of the Brexit referendum, the UK is still currently subject to EU law. That does not look like changing anytime soon. Most of the changes to UK law, that the BBC highlighted, must be made to harmonise standards across the EU, which is something the EU’s General Data Protection Regulation (GDPR) requires is done on 25 May 2018.
Some of the changes are:
1) Increase in the level of fines: At the moment the maximum fine is £500,000. The GDPR provides that up to maximum of 4% of the worldwide annual turnover or €20million (whichever is the higher).
2)Stronger rights for individuals: GDPR strengthens individuals’ rights. It introduces stricter requirements for the processing of personal data. Under the current law, implied consent is often all that is required to allow certain types of personal data to be processed. You will probably have seen forms or websites which ask you to tick this box if you do not want your personal data processing in a certain way or sharing with other businesses. If you fail to tick that box you have given your implied consent. A stricter regime is contemplated under the GDPR, with more emphasis on the need for companies to produce evidence of affirmative action being taken in order to show consent. Silence or inactivity may no longer be enough to justify certain ways of dealing with personal data. Consequently you can expect to see fewer references on websites and documents to ticking a box if you don’t want to be marketed to by all and sundry.
In addition the new law should make it easier for people to see what information organisations hold on them and to ask for certain data to be deleted. “The right to be forgotten” as the BBC reporter referred to it this morning.
3) Privacy Impact Assessments (PIAs) GDPR requires some organisations to conduct PIAs where privacy breach risks are high – to minimise risks to the people they hold data about. This involves considering how personal data is handled and processed at every stage and whether there are adequate safeguards in place (e.g. encryption of certain types of personal data). Interestingly this aspect was not mentioned in today’s coverage. We will have to wait until the new Data Protection Bill is published to see whether it addresses this issue fully and whether the new law includes anything over and above what is required by the GDPR.
The need to take action
Very few businesses operate outside the reach of data protection legislation. Nearly every business has employees or it buys or sells goods and or services to individuals. Consequently data protection legislation applies. The cost of getting it wrong can be frightening. Not only in terms of the size of fines that may soon be imposed but also as regards reputational risk.
Is your organisation ready?
Now is the time to review your data protection policy and relevant procedures. If you have any questions or need assistance, please do not hesitate to contact a member of our Corporate & Commercial team on 0800 042 0700 or email email@example.comFind out more about our Corporate Commercial department