Roisin McKeever explains what effect the GDPR may have with an 8 step explanation.
With all the recent news regarding the elections and Brexit, one maybe forgiven for not considering the pending changes to the Data Protection Directive 95/46/EC, which was adopted by the European Parliament on 14 April this year.
On 25 May 2018, the existing Data Protection Directive 95/46/EC (which was implemented in the UK as the Data Protection Act 1998) will be replaced by the new EU General Data Protection Regulation (GDPR).
This change is as a result of our ever evolving working environment and has resulted in more businesses resorting to cloud providers to ensure the security of their data, prevent cyber security threats and enhance flexible working.
It will also harmonise (a favourite EUism!) data protection with a single legal framework, applying across all EU member states.
The majority of the GDPR's core principles are much the same as those in the current Data Protection Directive and therefore if you are complying with the existing regulations, DPA 1998, the successful implementation of this new Directive will be not be as painful as one may think.
However, the GDPR has placed considerably more emphasis on governance and accountability.
So how does this affect the way businesses manage their data?
The GDPR will severely impact the overall means by which the DPA is implemented. Below are a few examples of these new elements and how businesses will have to address these elements, for the first time in some cases, and differently in others:
1. Both the Data Controller and the Data Processor are equally liable for monetary penalties and fines.
2. Businesses must assign a Data Protection Officer, if required, or an individual to take responsibility for data protection compliance and governance. This includes assessing where this role will sit within a business' structure.
3. The enforcement fine for data protection breaches increases from £500,000 to 5% of global turnover or €100 million. Strategic Risk Registers will need to be revisited.
4. 72 hour notification period to the Data Protection Authority (ICO - Information Commissioners Office) from first instance of knowledge of data breach and to affected data subjects "without undue delay".
5. A public record will be maintained for all incidents regardless of whether they are prosecuted or not. This record will be maintained on the ICO website and accessible by the public.
6. Individuals will have a right to claim compensation for damages due to a breach from both the Data Controller and the Data Processor (including the right to non monetary damages e.g. for distress).
7. Explicit consent required for data collection and usage.
8. Implied consent will not be allowed and consent will only be valid when it is specific and the individual has been informed how their data will be used.
To assist businesses with their preparations, the ICO earlier this year launched a 12 step checklist.
And there's more!
In addition to the above, consideration should be given to the EU-US Privacy Shield As a result of the Courts of Justice of the European Union (CJEU) decision on 6 October 2015, the EU-U.S.
Privacy Shield has replaced the transatlantic Safe Harbour framework (Harbor, depending on which spelling you prefer to use), which essentially guaranteed and only if required, the safe transfer of European citizens' data to the U.S in line with EU Directives.
Due to the U.S. domestic surveillance program, the CJEU deemed Safe Harbour inadequate in meeting the EU Directives and was immediately invalidated. The potential impact on transatlantic commerce would have been catastrophic.
Therefore, in February 2016, the EU in conjunction with the U.S. drafted, and provisionally agreed, the Privacy Shield framework.
The Privacy Shield now requires the U.S. to place stronger obligations on U.S. companies regarding data storage and more robust monitoring of data to guarantee the privacy of all European Citizens' data.
For the first time, the U.S. have also agreed, that complete transparency of the handling of all EU data by all their public and Government agencies, would be made available. It is worth noting that the Privacy Shield only applies to the transfer of data between the EU and the U.S and does not include any subsidiary businesses in non U.S. countries.
On 24 October 1995, the European Parliament set up the Article 29 Working Party, which in conjunction with the Data Protection Directive 95/46/EC would address the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The Article 29 Working Party has been working closely with the EU and the U.S. on finalising the Privacy Shield. However, this framework was dependent on the EU's completion and adoption of the terms of the GDPR. A provisional completion date of summer 2016 has been agreed.
In the interim, all business that had been dependent on Safe Harbour need to ensure that a) they no longer rely on it for the compliant transfer of data between the EU and the U.S. This can be addressed by a Binding Corporate Rule (which would facilitate inter company agreements) or model clauses and b) immediate consideration be given to the GDPR and its impact.
Act now
25 May 2018, may appear to be a date in the distant future.
However, two years is not that long a time frame to implement the GDPR and make considerable enhancements to your protocols, processes and infrastructure thus ensuring that you confidentially manage your data and the data of other third parties in line with the new Regulations.
With this in mind, how well equipped is your business to implement these changes? The sooner you start to address this, the better.
Written by Roisin Mckeever, Information Officer, Veratta.
