Data protection law changes – part two

Last week, we highlighted the fact that a new EU Regulation on data protection is to come into force in May 2018 and outlined the types of data that it covers. In part two, we include the main changes between the new General Data Protection Regulation (GDPR), the Data Protection Directive and Data Protection Act.

To recap, the EU’s Data Protection Directive was introduced in 1995 and required the UK to bring in its own legislation. The Data Protection Act (DPA) became law in 1998.

The principles of the DPA will still apply under the GDPR. The main changes are briefly outlined here:

• Increased territorial scope – all companies processing the personal data of anyone residing in the EU will come under the scope of GDPR, regardless of where the company itself is based
• Penalties – an organisation seriously infringing the resolution can face a fine of up to €20m or 4% of annual global turnover (whichever is greater). Lesser infringements could incur a 2% fine. Additionally, damage claims can be brought by individuals or groups, carrying both financial and reputational implications
• Consent – request for consent to use personal data must be given in an intelligible and easily accessible form. Users should not have to opt out of their data being used, they must opt-in to your systems. Consent must be freely given, informed, specific and unambiguous, and it must also be as easy to withdraw consent as it is to give it
• Privacy by design – the inclusion of privacy from the outset of designing of a system rather than as an addition
• Extended rights –
  • Data controllers (organisations holding personal data) are required to inform data subjects (individuals) of any data security breaches within 72 hours of becoming aware of the breach where the breach is likely to “result in a risk for the rights and freedoms of individuals”
  • Individuals can obtain a copy of personal data from the data controller in a digital format, and obtain confirmation of whether their personal data is being processed, where and for what purpose
  • Personal data obtained by an individual from a data controller is portable i.e. it can be transmitted to another controller
  • Under certain conditions individuals have the ‘right to be forgotten’ i.e. to ask that the data controller erase their personal data and cease further distribution of it.
• Data protection officers (DPO) – Controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale will be required to appoint a DPO. It is a good idea, however, for all organisations to appoint someone responsible for data protection compliance
• Accountability – companies are expected to put into place governance measures such as privacy impact statements to demonstrate they comply with the principles of the regulation.

Next week, we will conclude our series on GDPR with steps to compliance and FAQs. However if you wish to know more now, download CJAM’s GDPR Q&A document.