Data protection - preparing for changes
Find out more about the General Data Protection Regulation (GDPR), which is likely to come in to force in early 2018 and is intended to provide a more updated and consistent approach across Europe to data protection.
The legislation is still currently in draft form and therefore is subject to change.
Key Proposed Changes
- Non-EU businesses will be subject to the GDPR if they either offer goods or services to EU data subjects or monitor their behaviour. This expands the number of businesses who will be required to comply with data protection legislation.
- Gaining consent to processing data will now have more stringent requirements. Consent must be given freely, be specific, informed and explicit, and demonstrated by a statement or clear affirmative action. Implied consent is no longer enough.
- Enforcement fines will be significantly increased. Furthermore, new obligations will be imposed on data processors and direct fines may be given.
- Businesses will be responsible for assessing the degree of risk their processing poses to data subjects. Businesses with a low risk may have a reduced compliance burden.
- Businesses will no longer have to register with the DPA but instead will have to maintain detailed documentation of all processing operations.
- There will be strict requirements to notify the DPA of any breaches without undue delay and, it has been proposed, not later than 24 hours after the breach. There are likely to be additional requirements to notify the individuals involved.
- There may be fewer restrictions on key coded or enhanced data (known as ‘pseudonymised’ data.)
- There will be a less onerous process for seeking approval of binding corporate rules. These lawfully transfer personal data out of the European Economic Area.
- The rights of data subjects will be increased. Individuals will have the right to request that a business delete their personal data in certain circumstances. Individuals will also have a right to object to their data being used for profiling such as online trafficking if this profiling significantly affects them.
- Businesses will no longer be able to charge a fee for a subject access request.
What steps can businesses take at the moment?
Although these provisions are subject to change, there are a number of steps that businesses can begin to take in order to ensure they are prepared for the GDPR’s adoption.
Businesses established outside the EU should consider whether any of their entities may be subject to the new regulations, even if they were previously outside the scope of the Data Protection Directive.
It is important that data protection procedures are reviewed given that substantial fines may be awarded for non-compliance. In particular, businesses should ensure that consent of the data subject is sought in writing. When new products are created which involve processing personal data, businesses should take into account from the outset any data protection requirements and undertake impact assessments.
Consideration should be given to appointing a data protection officer and ensuring that all records on data processing activities are kept up to date. A response plan could be created which would allow businesses to react to any breach. Additionally, businesses should consider carefully their procedure for deleting data.