Blog Post

Data Protection - Changes to legislation

  • By MICHAEL HANSON
  • 04 Oct, 2017

 

This is the first in a series of Your Compliance Matters newsletters that will cover the forthcoming changes to data protection legislation and its implications and consequences. 

In 2012, the European Commission proposed new regulations on data protection that would supersede the national laws of the 28 EU (European Union) member states. After much toing and froing between the various European legislative bodies, the new requirements were formally approved in April 2016, and will be effective from 25 May 2018. 

The new legislation is referred to as the General Data Protection Regulation (GDPR). 

It is worth giving a reminder of how EU legislation is arrived at: 

The aims set out in EU treaties are achieved by several types of legal act. Some are binding, others are not. Some apply to all EU countries, others to just a few.  

For example;

·   Regulations:

A "regulation" is a binding legislative act. It must be applied in its entirety across the EU.

·   Directives

A "directive" is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.

 

The GDPR will apply to any business that operates within the EU, but also any company that processes data from EU citizens. It doesn’t matter where the organisation is located. 

GDPR and “Brexit”

 

  • GDPR will come into force on 25 May 2018, when the UK is likely to still be in the EU.

  • GDPR is an EU regulation applicable in the UK without the need for domestic UK legislation (and so will apply between May 2018 and any departure from the EU).

  • As a regulation, GDPR will automatically fall away in the event that the UK leaves the EU – unless and to the extent the UK adopts domestic legislation to retain GDPR in whole or part. Current UK government announcements support such retention. 

Current Data Protection legislation 

Currently, the Data Protection Act 1998 (DPA) is what was used to implement the European Data Protection Directive and is the main and relevant legislation in the UK. 

The DPA is based around eight principles of ‘good information handling’. These give people specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.  

The 8 principles state that personal information must be:

  1. fairly and lawfully processed;

  2. processed for specified purposes;

  3. adequate, relevant and not excessive;

  4. accurate and, where necessary, kept up to date;

  5. not kept for longer than is necessary;

  6. processed in line with the rights of the individual;

  7. kept secure; and

  8. not transferred to countries outside the European Economic Area (EEA) unless the information is adequately protected.  

GDPR Summary 

Under the GDPR, the data protection principles set out the main responsibilities for organisations.  The principles are similar to those in the DPA, but with added detail at certain points and a new accountability requirement.  

The GDPR does not have principles relating to individuals’ rights or overseas transfers of personal data; these are now specifically addressed separately.  

The most significant addition is the accountability principle. The GDPR requires firms to show how they comply with the principles, for example, by documenting the decisions taken about a processing activity. 

Article 5 of the GDPR requires that personal data shall be: 

(a) processed lawfully, fairly and in a transparent manner in relation to individuals;

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;

(f)   processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.  

Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” 

Information Commissioner’s Office (ICO) 

The ICO is the independent UK regulator enforcing the laws that govern privacy. As such, it has a very big part to play with the introduction and implementation of the GDPR. 

The Information Commissioner, Elizabeth Denham, discussed the role of accountability in the GDPR, noting: "We’re all going to have to change how we think about data protection.” 

She comments further “The General Data Protection Regulation builds on the previous legislation: but provides more protections for consumers, and more privacy considerations for organisations. It brings a more 21st century approach to the processing of personal data. And it puts an onus on businesses to change their entire ethos to data protection.  The message about GDPR is continuity and change.” 

The ICO suggest that it is essential to start planning an approach to GDPR compliance as early as possible and has produced a 12-point checklist to assist. However, some parts of the GDPR will have more of an impact on some organisations than on others (for example the provisions relating to profiling or children’s data), so it would be useful to map out which parts of the GDPR will have the greatest impact on individual business models and give those areas due prominence in the planning process. 

The 12-points are as follows:

1)   Awareness

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. 

2)   Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit, across the organisation, or within particular business areas.

 3)   Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

 4)   Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

 5)   Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

 6)   Legal basis for processing personal data

You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.

 7)   Consent

You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.

 8)   Children

You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

 9)   Data breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

 10) Data Protection by Design and Data Protection Impact Assessments

You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIAs) and work out how to implement them in your organisation.

 11) Data Protection Officers

You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.

 12) International

If your organisation operates internationally, you should determine which data protection supervisory authority you come under.

 

We will be maintaining a watching brief as this topic develops so that we can alert client firms to the changing requirements and assist them with their obligations under the new data protection legislation.

Share by: