Is Data Protection likely to be a piece of red tape that can be cut post-Brexit? Unfortunately not. If the UK wants to remain prominent as an international centre for trade, its businesses must continue to offer levels of data protection acceptable to their business partners. The new General Data Protection Regulation (GDPR) is due to be implemented in 2018 and all indications are that the UK will adopt the Directive whether as part of the EU or not.
If you are compliant with the provisions of the Data Protection Act 1998, then the Information Commissioner’s Office (ICO) believes you have a good starting block to build from. The ICO have produced guidance in the form of “12 steps to take now” ICO 12 Steps the first of which is to carry out an information audit. This should cover what personal data you hold, how you obtained it, what you do with it and who you share it with. This will help you to identify what changes need to be made to ensure compliance with the GDPR. New powers of audit available to the ICO will allow them to obtain access to your premises to inspect documentation recording such processing activities. Alongside the new regime comes a seriously high level of potential fines for breach. The maximum fine that can be imposed has been raised from £500,000 to €20 million or 4% of the organisation’s worldwide annual turnover if greater.
Other changes to be introduced by the GDPR affect the obligations of “data processors” (those who process personal information on behalf of the data controller). No longer can data processors hide behind the skirts of the data controller and instead will be directly liable under the GDPR. Expect some re-negotiation in your contracts with those who process information for you (such as payroll operators and technology providers).
Other changes include:
- Where businesses operate in more than one country, the regime applicable will be that in their main place of business;
- Businesses outside of the EU who provide goods and services to data subjects in the EU will be subject to the GDPR (BREXIT Spoiler!);
- Consent of data subjects to the processing of their data must be able to be clearly evidenced in the affirmative. No more unticking of boxes, positive ticking must be shown;
- Breaches must be reported “without undue delay” and where feasible within 72 hours, this includes notifying the applicable data subjects affected;
- More rights in favour of the data subject to object to processing, require deletion of personal data and request access to the data stored. All of these are likely to require processes to be put in place to allow them to happen.
At this stage awareness is the key. Businesses should start to think about areas of their operations likely to have cost implications in complying with the GDPR, and make sure that the key people in their organisation are aware that the law is changing.
If you would like more information on Thursfields’ Data Protection services for your business, please contact Corporate Commercial Team specialists, Jane Rudge or Stuart Price.