Data controllers must ensure full compliance ahead of major and far-reaching changes coming into force in May 2018.
One of the few certainties for 2017 is continuing political uncertainty about what the UK vote to leave the European Union means in practice for Scotland and the rest of the UK. However, notwithstanding possible constitutional outcomes, it seems certain that the UK will still be in the EU on 25 May 2018.
That is significant for all data controllers and data processors, because that is when the new EU General Data Protection Regulation (GDPR) comes fully into effect across the EU and will apply directly to the UK, replacing current data protection laws in the Data Protection Act 1998 (DPA). The GDPR also introduces direct duties for data processors, not currently contained in the DPA. Data controllers and processors across the public and private sectors should consider taking time in 2017 to put in place arrangements to ensure that they can comply with the GDPR. In reviewing legislation, such as Part 4 of the Children and Young People (Scotland) Act 2014 (dealing with Named Persons), the Government should seek to future-proof provisions by considering how they can comply not only with the DPA, but also the GDPR. The same approach should be taken to consideration of legislation currently passing through Parliament.
The GDPR makes many changes to data protection law, but some key features relate to individual rights, consent, notification, breach reporting, penalties, data protection officers and territorial application. One of the underlying principles is the provision of stronger individual rights in relation to the use by others of their personal data. In addition to maintaining a right of access to their own personal data, the GDPR gives individuals a right to “data portability”, ie to get their personal data back from a data controller in a form that can be transferred with ease to a different data controller. The “right to be forgotten” is also contained in the GDPR.
The requirement to “notify” processing with the UK Information Commissioner will no longer apply, but instead data controllers must be accountable for their processing, conduct data protection impact assessments prior to engaging in high-risk processing and incorporate privacy by design in their operations.
The GDPR strengthens the consent requirements for processing. Where consent is needed, the GDPR requires that consent be freely given, specific, informed, unambiguous and signified in writing or by some clear affirmative action. It should be as easy for an individual to withdraw consent as to give it. Data controllers who have previously obtained the consent of individuals to process personal data should re-examine whether that consent meets the requirements of the GDPR and, if it does not, what steps they need to take to ensure that they have lawful consent under the GDPR going forward. The same re-examination process should be undertaken where fair processing notices have previously been given to data subjects by data controllers.
Where a data controller becomes aware of a data breach, the GDPR requires the controller to notify that breach to the UK Information Commissioner within 72 hours of becoming aware of the breach (unless risk to individuals as a result of the breach is unlikely), or to justify any delay beyond that timeframe. In some cases, where there is a high risk to an individual from a breach, the controller will also have to notify the individual directly. The maximum penalty for breaching the GDPR is 4 pre cent of annual worldwide turnover of an undertaking or e20 million, although actual penalties will be determined on the basis of the nature and duration of a breach.
Public authorities, as well as some organisations involved in processing sensitive personal data, are required by the GDPR to have a designated data protection officer, meeting specific requirements in terms of knowledge and expertise. This requirement could be met by appointing a specific employee or through an out-sourced or shared service arrangement.
At such time as the UK leaves the EU, it is anticipated that the GDPR’s provisions will be saved in domestic law for the time being. However, one of the most significant aspects of the GDPR is its extra-territorial scope, ie it also applies to certain data controllers outside the EU. In the event of any future amendment to UK data protection laws, data controllers who are established in the UK outside the EU but who offer goods and services within the EU (including those that are free of charge), will still need to comply with the GDPR if they wish to continue with their trading arrangements.