05 January 2016
The first of a monthly series of blogs throughout 2016 on this important topic.
Today the BBC reported that “new European data protection laws will see a ‘dramatic increase in fines’ for data breaches … forcing firms to reassess their compliance procedures and consider making Data Protection Officer a board level position”.
This is a reference to the final draft of the EU General Data Protection Regulation (the Regulation) which the European Parliament and Council of the European Union agreed on 17 December 2015. A final version of the Regulation will be published later this month. When it comes into force it will have direct effect in all European Union countries and will replace the now out of date Directive 95/46/EC and the UK legislation implementing the Directive, the now familiar Data Protection Act 1998 (1998 Act). It will not come into force for another two years after the final version is published to allow businesses the time to ensure compliance.
There is a significant shift away from the eight data protection principles as set out in the 1998 Act and the grounds for processing data under the Regulation will be less prescriptive and instead will be driven by a risk-based approach. For example -
- Data controllers will be obliged to carry out Privacy Impact Assessments (PIA) whilst constantly assessing how an individual’s right to privacy is balanced with how their personal data is being processed.
- Consent will have to be freely given, specific, informed and constitute an unambiguous indication of the data subject’s wishes by a clear affirmative action to the processing of his or her personal data.
- Pre-ticked boxes will not count as consent.
Throughout 2016 BTO will be providing in depth analysis of the changes expected from the new Regulation. This blog identifies the headline changes relevant to organisations in the UK.
Data Protection Authority
Where a business is established in more than one EU Member State, the data protection authority of the main place of business will act as the lead authority for the business’ cross-border processing. In addition, each DPA will have jurisdiction over complaints and possible violations of the Regulation. In the UK, the DPA will still be the Information Commissioner’s Office (ICO), with a new Information Commissioner expected to be appointed this year and Christopher Graham’s term of office comes to an end.
There will no longer be a requirement to notify the ICO that you are processing personal data.
In the event of a data breach, data controllers based in the UK will be required to notify the Information Commissioner’s Office (ICO) without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. Where the breach is likely to involve significant risks to individuals’ rights and freedoms, controllers also must communicate the breach to the individual without undue delay.
The ICO will have the power to impose higher fines for breaches of the Regulation. The maximum fine will be €20,000,000 or 4% global turnover whichever, is the higher. This is in addition to individuals being able to claim compensation under the 1998 Act for damage and/or distress (following the decision in Vidal-Hall v Google) caused by the mishandling of their personal data;
Data Protection Officer
There is a requirement set out in the Regulation for certain organisations to have a Data Protection Officer (DPO) for:
- All public bodies;
- Organisations whose core activities are the processing of information about individuals on a large scale;
- Organisations whose core activities are the processing of special categories of data and data relating to criminal convictions and offences (sensitive personal data).
It is likely that the appointment of a DPO will be highly advisable in other circumstances.
Significantly, data processors will have more responsibilities under the Regulation. Under the 1998 Act the data controller remained responsible for its data (and any mishandling) when it was simply being processed by a third party, but the Regulation means that the data processor becomes directly liable for the security of personal data during its processing activities. Processors will also become subject to fines from the ICO.
Privacy Impact Assessments
A Privacy Impact Assessment (PIA) will be required where the processing of personal data is likely to involve high risk to the rights and freedoms of individuals and in particular, a PIA will be required for automated data processing activities.
Individuals will be given stronger rights under the Regulation. The definition of Personal Data will be wider covering online identifiers or any factors specific to the individual’s physical, physiological, genetic, mental, economic cultural or social identity.
Individuals will have the right to object to their personal information being processed unless the data controller demonstrates compelling legitimate grounds for the processing which override the rights of the individual. Individuals will also be able to object to the processing of personal data for direct marketing purposes. The Regulation also means that individuals will have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects for them or otherwise significantly affects them.
The Regulation makes it easier for an individual to move their information from one data controller to another with the right of individuals to receive personal data concerning them in a structured, commonly-used and machine-readable format. Finally the Google right to be forgotten is part of the Regulation and individuals will be able to request the erasure of their personal data without undue delay.
The implementation timetable is not clear but the Regulation has been considered for over three years now by the European Parliament and is now closer to its final form than ever. It will come into force two years after the final Regulation is published and this seems very likely to be early 2018.
BTO’s Data Protection Defence team will be considering a different aspect of the Regulation in detail every month of 2016 in this blog and are happy to provide advice, assistance and training on compliance with the current regime and the regime to come.
Happy New Year!