Are you ready for GDPR? (1/8)

In this series of briefing notes our Associate Litigation Solicitor, Richard Burraston, explores some of the key issues that could affect your business following adoption and commencement of the EU’s General Data Protection Regulation (GDPR), and the granting of Royal Assent for the Data Protection Bill.  

On the 25th May 2018, the EU’s General Data Protection Regulation (Regulation EU 2016/679) comes into force and is directly applicable to all EU Member states.  Businesses and organisation both in the private and public sector, whether acting as a Data Controller or Data Processor, will need to ensure that their processes and procedures for collecting, storing and processing personal data are sufficient and comply with the regulations. Further, the British Government has before it the Data Protection Bill, which looks to adopt GDPR into British Law in accordance with Article 6(2) of the regulations and replace and extend the existing rules under the Data Protection Act 1988.    The Bill received its third reading in the House of Lords on the 17th January 2018, with a view to royal assent during 2018-2019 and is an attempt to ensure that the UK has an appropriate and consistent data protection regime once Brexit is fully implemented.  

The main drivers behind the Data Protection Act 1988 remain, but with substantial bolstering from the EU directive.  It will be for Data Controllers to take responsibility for, and to demonstrate that, they have complied with data protection principles set out in the regulations (reg 5(2)), and Controllers should work with Data Processors to ensure that their processes are compliant when processing the personal data of individuals.  

A failure to comply could result in substantial fines being awarded (up to 20,000,000 EUR or 4% of the total worldwide annual turnover, whichever is highest and depending on the nature of the breach), together with, in accordance with article 82 of the regulations, a right for any person who has suffered material or non-material damage as a result of infringement to receive compensation from either the data controller or processor for the damage suffered.  

Article 5 of the EU directive sets out the primary data protection principles, which require that personal data be:

1. Processed lawfully, fairly and in a transparent manner;

2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with that purpose;

3. Adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed;

4. Accurate, and where necessary, kept up to date;

5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data are processed; and

6. Processed in a manner that ensures appropriate security of the personal data.

But how do you know if you are a data controller or processor for the purpose of the regulations, and do they apply to you?  In simple terms, the regulations will affect any business, person or organisation that either determines the purpose and means of processing personal data, or processes that personal data.  

A Data Controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others determines the purpose and means of processing personal data.   This remains broadly in line with the current definition ascribed by the Data Protection Act 1998.  Similarly, Data Processors retain their status of being any person (natural or legal, public authority, agency or other body) which processes personal data on behalf of the Controller.  

GDPR creates a number of rights for individuals that businesses will need to be aware of.  Some of these rights will already be recognisable to organisations, however steps should be taken to put in place processes and procedures to enable compliance with these rights.  Rights include:

• The right to be informed;

• The right of access;

• The right to rectification;

• The right to erase;

• The right to restrict processing;

• The right to data portability;

• The right to object;

• Rights in relation to automated decision making and profiling.

If you are unsure of your legal rights and obligations in relation to the application of GDPR or the Data Protection Bill, need help and assistance in bringing your processes and procedures up to speed to ensure compliance, or facing a claim for a financial penalty from the Information Commissioners Office for breach, then please contact Richard Burraston on 01293 596984 or via e-mail at richard.burraston@stevensdrake.com or Paul Dungate on 01293 596981 or by e-mail at paul.dungate@stevensdrake.com