Earlier this year (in a time before Brexit) the European Parliament and Council adopted the General Data Protection Regulation (GDPR) a unifying regulation on data protection for the whole of Europe. The intention is for it to replace the previous data protection directive which gave the UK the Data Protection Act (DPA) and to provide a uniform data protection regulation across the whole of Europe.
What the GDPR offers as a regulation is adequately covered by the Information Commissioner’s Office (ICO) in their overview of the GDPR.
In general the data protection principles stay the same, covering everything from security of data to fair processing, but the GDPR introduces some new rules to address the increase in importance of individuals data in a digital world.
So, in a post-Brexit world what does this mean for the UK:
- The GDPR is still relevant to the UK even with us leaving the EU particularly if we want to demonstrate we have adequate controls in place to continue to trade across Europe
- Consent for processing of data will need be explicit. The days of implied consent and of “opt-out” consent will be gone; it needs to be explicit and clear to the data subject
- Data processes will need to be clearer to data subject including how their data is processed and what they can do about removing consent
- There will be a statutory right to be forgotten so a data subject can have their personal data deleted
- Data subjects will be able to request an export of the data held on them in a format that can be easily transferable to a different organisation
- Large organisations will specifically need to hire a Data Protection Office to be in charge of the company’s regulatory compliance
- Organisations will need to be able to demonstrate their data processing activities and show that they are acting lawfully
- Data breaches will need to reported to a statutory body (currently the ICO in the UK) and in some circumstances there’s a requirement to also report them to the data subject too
- Fines will be up to 4% of global turnover for data protection breaches
- Strict rules will be introduced for data processors – organisations that process data for other organisations
We’re a while away from when the GDPR will be enforced across Europe (it’ll be in 2018) but now is the time to be prepared. In the UK though, we have the added uncertainty of what the government will do in the UK regarding it’s implementation – if we were not leaving the EU it would be simple as the regulations set everything out for legislators to legislate; now we’re leaving though, we need to see what the UK’s version will look like.