Data protection compliance is nothing new. Most UK businesses will be familiar with the Data Protection Act (DPA). It has been around since 1998 which makes the current law over 20 years old! At that time, Google was three people in a garage. Offices were still using word processors. Telephone numbers were kept in a Rolodex, or for the sophisticated, a Filofax. Most people had never heard of the internet. A lot has changed in 20 years and the law is trying to catch up.
That said, even before the DPA was implemented, The European Commission was aware of the need for a law to protect the privacy of individuals. This resulted in the adoption of the Data Protection Directive in 1995. This Directive seeks to protect individuals’ personal information. At the same time, it recognises that the free flow of personal information within the European Union has economic benefits which need preserving. This is a tricky balance.
Changes in data protection law are seeking to maintain that balance but also bring things up to date. On 25 May 2018, the DPA will be replaced by the General Data Protection Regulation (GDPR). Whilst the overriding purpose of the GDPR is much the same as the DPA, there are crucial differences which businesses should be aware of. These differences have sprung largely out of inadequacies identified over the last 20 years in the DPA which the GDPR has sought to address.
So, what are the differences?
Whilst the law is never nimble enough to keep up with all advances in technology, the GDPR is a significant improvement upon the DPA. The new law will apply to more companies in more places and protect more data. The consequences of non-compliance can no longer be ignored by organisations. Organisations must show that they comply rather than merely say that they comply. If organisations get things wrong and personal data is lost or compromised, the likelihood under the GDPR is that they will have to report the breach. And, finally, all companies will have to look carefully at how they obtain consent for processing and recognise that such consent can be withdrawn at any time. We’ve gathered together the specific changes that may affect your organisation.
More organisations need to comply with the GDPR
First, it has been made clear that the GDPR applies not only to EU organisations but also non-EU organisations in certain circumstances. For example, if a US company is selling software to an EU individual, or monitoring such an individual for the purpose of targeting advertising to that individual, the GDPR applies to that US company.
Second, the DPA applies only to companies that control the processing of personal data (Controllers). The GDPR extends the law to those companies that process personal data on behalf of Controllers (Processors). For example, if you buy a new television on the internet and give your contact details to the web-based store to enable delivery of that television, only the store would be liable for looking after your personal information under the DPA. Under the GDPR, the store and the delivery company could both be liable.
These two changes close two loopholes which undermined the protection of individuals within the EU.
There are larger fines for breaching the GDPR
The GDPR allows the regulator to fine non-compliant companies up to 4% of global turnover. Under the DPA, the largest fine allowed is £500,000 and the highest fine ever handed out has been £400,000.
For large (possibly multinational) companies with a high turnover, it was felt that a maximum fine of £500,000 was not significant enough to deter bad practice. It should be said, however, that such huge fines are only likely to be levied for very serious breaches where organisations willfully ignore the law resulting in a significant effect on the rights and freedoms of individuals. For example, in the case of a large scale loss of sensitive data.
Organisations need to be able to demonstrate their compliance
The regulator is emphasising the need for accountability within organisations and diligent record keeping. Organisations are required to demonstrate compliance with the GDPR. They need to be able to show the regulator that they take data protection compliance seriously and that they have recorded the steps showing such seriousness.
This is a break from the last 20 years of the DPA where the perception has been that many organisations have, if anything, only paid lip service to compliance.
There is a new requirement to notify data breaches to the regulator
Under the DPA the regulator recommends that organisations notify it if they experience a data breach. However, under the GDPR there is a requirement to notify the regulator and individuals’ affected under certain circumstances.
This change in the law means that organisations can no longer seek to keep quiet about data breaches. Under the GDPR organisations may still choose to keep quiet and not notify, but if the data breach becomes public and the regulator finds that the organisation did not comply with the law, any fine is likely to be a lot higher.
Consent is getting more specific
Organisations need a legal basis to process personal information. One of those legal bases is “consent”. This is the case under the DPA and the GDPR. However, under the GDPR, that consent will have to be more specific and more granular. For example, instead of getting consent for marketing by ‘opt out’ or, so called ‘soft opt in’, organisations will have to obtain separate, specific ‘opt in’ consent for marketing by email, by telephone and by in product messaging. Also, under the GDPR, organisations will have to inform individuals that they can withdraw such consent at any time.
These changes were deemed necessary because it was felt that individuals did not have sufficient control under the DPA over what their personal information was used for.