Until the details of how the laws may/will be altered and with a good chance that it may well be acceptable to be retained in English, Welsh, Scottish and Northern Irish law after the Brexit vote ramifications (a topic for another day), laws from the EU will continue to apply, even new ones being introduced in the foreseeable future.
This includes the law around the protection of personal and sensitive data of individuals. Most people are aware of the Data Protection Act (which derived from an EU Directive) in its most basic purpose of protecting the disclosure and circulation of an individual’s personal and private information. The principles behind it have been generally achieved, although as with any complex subject there have been some arising issues on the way (for example, confusion over “safe harbours”).
The EU has just published a draft revised Regulation replacing the 1994 Directive’s basic rules which the individual countries of the EU made in to their own law. A Regulation is the direct law, whereas a Directive is a direction to States to put their own worded laws (with additional points) into their own laws which is what the UK Governments did with the Data Protection Acts. It may be modified through consultation but is expected to become law throughout the United Kingdom in 2017 unless and until it is disapplied through work relating to Brexit.
Everyone is affected by this, either being protected as an individual or all businesses who collect personal data being subject to it – even very small ones. A business should be registered with the ICO if it has employees and stores their personal data, as well as if they sell goods to individuals about whom they collect and process personal data. It looks like businesses should review the policies (if they have them) and the way they comply with the existing law and be aware for the implementation of the new proposed law.
And if businesses don’t have proper policies now (and many controllers of personal data do not) – well, in future they are required.
So, what’s new and what should small business be aware of? The new Regulation contains many tweaks and tightening in the language due to technological advances and commercial practices since the ‘90s and in definitions used, but the main points of interest for businesses to note are:
- It seeks to govern entities outside the EU who target EU customers. They will need a designated representative in the EU
- There is now a requirement for data to be processed in a “transparent manner” (i.e. presumably not in a hidden or opaque way but in a manner easily understood and agreed to by the data subject; and they will need “easily accessible policies” in place and to appoint a “data protection manager”)
- The amount of data is now to be minimised so as to be limited to the described purpose (this was in the Directive but is now much clearer); and also the time period it is stored for
- There is a clear obligation now that data is processed under the “responsibility and liability of the controller” who must demonstrate compliance
- Secondary use and sharing of data with third parties in circumstances where it was previously allowed is much more restricted and would need to be demonstrated to fall inside the new Regulations wording
- The consent to processing of personal data relating to children is now clarified – 13 is the cut-off point where consent of a parent/guardian must be first obtained
- There are new express mechanisms for a data subject to exercise their rights which processors and controllers need to take into account in their policies and procedures
- There will be an obligation on controllers to “adopt policies and implement … measures” to comply with the Regulation
- The £10 charge of a subject to their data seems to be disappearing and the time to comply is being reduced down from 40 days to one month
- The information and access to data requirements are more stringent and are spelt out. When collecting data, at the point and time of its collection, the controller will have to give the data subject some clear information relating to the controller; the purpose; the legitimate interest behind the collection of data; the period it will be kept; complaint procedures; the recipients of the data; transfer of the data outside the country and especially outside the European Economic Area; and the protection offered by the recipient country
- There are more explicit rights to get rectification of incorrect data; and to be “forgotten” and have the erasure of personal data (subject to certain grounds) which must be carried out without delay, particularly in the areas of public domain. This has an obvious application in relation to removing embarrassing photos/data from Facebook and the like, it will also affect online advertising
- There is a right for data subjects to object, on certain defined grounds, to processing of their personal data, including for direct marketing (which was there before but has been strengthened). This is much more explicit than before and no longer will need to cause unwarranted “substantial distress or damage”
- As mentioned, it appears that controllers based outside the EU will be subject to the jurisdiction of the European Commission and they will need to appoint representatives in the EU
- It seems the responsibilities of a pure processor have been made more explicit where they are not entirely bound to a controller – up to now they have understandably in general tried to deflect any liability onto the data controller – so they may be more susceptible to actions from a supervisory authority in certain things, such as data security
- As there is a duty of transparency and making things clear at the outset, it is not fully understood whether the current need to pay to register with the ICO should continue. It is true it is just seen as a nuisance administrative issue – very few people have ever had the need to look up a registration
- Controllers will have a duty to supply the bullets to be shot at them by having to report, within 24 hours, any breach by them to the ICO and action taken. They will also have to report details to the data subject concerned. Consumer-facing businesses may not like the increased potential bad press and jaundiced view of them by their consumers that may result by complying with this. Coupled with this is the expected likelihood of higher fines and penalties
- For certain processing operations, risk assessments in advance may be required
- It will be crystal clear that the new Regulation’s conditions must be adhered to for international personal data transfers
- The ‘Safe Harbour’ provisions are being continued and a check of the European Commission’s list would need to be made to ensure that a US State, for example, is a safe harbour
- The Model Contracts process for territories not subject to a ruling of adequacy continues. Businesses should make themselves familiar with the terms of the Model Contracts and use them
- Fines and penalties have been increased to Euro1million or 2% of “its” worldwide turnover (possibly of the whole corporate group rather than just the legal entity subsidiary)
- The UK Government can set its own rules to apply to firms like solicitors and accountants who have a common law (and other) duty of confidentiality in relation to the data they hold
The summary message for businesses is to 1) understand the new proposed laws; 2) make new specific policies; 3) appoint a manager to be responsible; 4) inform data subjects at the time you collect information everything they need to be told; 5) check more carefully where data goes and under what terms; and 6) immediately tell the ICO of any breaches – and do all this in the light of possible higher penalties for failure.
For more information contact: