What to expect from the General Data Protection Regulation (GDPR)
The UK government has “form” on this. They have many times taken a very small piece of EU legislation and then expanded its scope to also implement extra changes not required by the EU but then blame the EU for the whole legislation. The only thing Brexit will change in this regard is that the government will not be any longer able to blame the EU for unpopular legislation.
The new legislation will give individuals greater rights over their personal data online and hold businesses accountable for managing and securing data properly.
The UK has the largest internet economy in the G20, and yet the most recent data protection legislation came into force a decade ago. This new Bill gives the legislation a much needed update to address the new challenges of the digital age.
So what are the key points in the legislation?
Individuals to have greater control over personal data online
At the crux of the legislation is empowering individuals to have greater control over their personal data – specifically to access, erase and move it. The definition of personal data is also expanded to include IP addresses, internet cookies and DNA.
The new legislation affords the public with “the right to be forgotten”, which allows them to ask for online personal data to be erased. This includes removing information posted during childhood from social media.
Individuals will also have greater rights to request organisations to disclose what information it holds on them, free of cost.
The new rules also give customers greater power over data portability, making it easier for them to move data between service providers. This aims to give customers greater choice, and to encourage competition and innovation in services.
Issues of privacy and consent are central to this legislation, and another measure to support this is the ending of “default opt-out or pre-selected ‘tick boxes’”, which gives consent to organisations to collect personal data, as these boxes are often ignored.
Businesses to be held accountable for securing data
With this legislation the government aims to “build accountability but with less bureaucracy”. Businesses will be obligated to ensure their data is secured and managed properly and to prioritise privacy when dealing with personal data.
Organisations dealing with high-risk data processing will have to carry out impact assessments to ensure they fully understand and are able to mitigate risks.
In the instance of a security breach, businesses must notify the Information Commissioner’s Office (ICO) within 72 hours. If the breach is high risk, businesses will also be obliged to notify affected individuals.
Andrew Rogoyski, UK head of cyber security for CGI, commented on the complexities attached to the GDPR, which may see companies having to redistribute resources to meet the new requirements: “GDPR will affect numerous areas, such as new definitions of what constitutes personal data, and rights of consent,” he said. “These will require businesses to invest extra time and money into understanding the nature of the data they hold, and the measures they put in place to protect sensitive data, including skilled staff, procedures and training.”
New powers, sanctions and offences
Under the new legislation the ICO will be granted greater powers to carry out investigations and impose sanctions. It’s investigatory powers will include the ability to obtain “information from data controllers and processors, enter and inspect premises, carry out audits and require improvements.”
Currently, the ICO can issue a maximum fine of £0.5m. This will change under the new law, which will allow the Office to impose larger fines of up to £17m (€20m) or 4% of global turnover.
The scope of criminal offences and sanctions will also be widened, including the creation of a new offence that penalises organisations which intentionally or recklessly create situations in which someone can be identified from anonymised data.
Interestingly, the new legislation also affords protection to journalists and whistle blowers who hold organisations to account.
To better equip criminal justice agencies to cope with the emergent issue of cyber threats, the new role of Data Protection Officer (DPO) is created to advise data controllers on data issues.
With the increasing prevalence of cyber attacks such as the WannaCry ransomware attack that targeted the NHS earlier this year, and the increased significance of data in national security issues, GDPR emphasises the importance of ensuring “the safe flow of data” across international borders, particularly with key partners such as the EU and USA.
Important step to adapt to the digital age
The UK’s adoption of this comprehensive legislation has been positively received as an important step in adapting to changes in the modern world.
Matt Hancock, minister of state for digital said: “The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”
However, it is crucial that businesses ensure they are sufficiently prepared to comply with the enhanced measures of GDPR.
Guidance documents published by the ICO stress: “it is essential to plan your approach to GDPR compliance now and to gain ‘buy in’ from key people in your organisation.”
“You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. In a large or complex business this could have significant budgetary, IT, personnel, governance and communications implications.”
The report added that: “the GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability.”
Organisations will also need to “review their approach to governance and how they manage data protection as a corporate issue. One aspect of this might be to review the contracts and other arrangements you have in place when sharing data with other organisations.