In this article we are going to look at the UK General Data Protection Regulation, or rather, how the General Data Protection Regulation (GDPR), will affect how data protection is dealt with in the UK. The GDPR takes effect from 25 May 2018, so it’s important that any businesses and organisations are well prepared for its implementation by then.
Hopefully, the information will help your business or organisation to better understand how the GDPR will work in the UK.
GDPR – the basics
For anyone who is not aware of what the GDPR is; here is a basic explanation. The GDPR is intended to provide a level of consistency concerning the way data protection is addressed in EU states. It also provides an improved level of control for EU citizens surrounding their personal data.
It’s important to note that GDPR does not just apply to businesses and organisations that are based within the EU. It applies to any business or organisation that is involved with the processing on the personal data of EU citizens. Currently, the GDPR applies to UK companies as UK citizens are EU citizens. Although this will no longer be the case following Brexit, GDPR will probably still apply to the majority of business and organisations in the UK. This is because they will likely still be involved in processing the personal data of people from other EU counties.
What happens at present?
Currently, each state which is a member of the EU has its own data protection laws, which it operates under the data regulation of 1995. In the UK, these rules are detailed in the Data Protection Act of 1998, and data protection is overseen by the Information Commissioner’s Office (ICO).
The GDPR will bring chances to the way personal data is handled in the UK. These changes will be detailed in the Data Protection Bill which has already been written.
The new data protection bill in the UK
This data protection bill will be used to implement the changes that have been brought about by the GDPR. Effectively, this is the UK General Data Protection Regulation. The bill has already been published, on 14 September 2017, but it only becomes law once it has passed through both Houses of Parliament.
Like many other countries, the UK has added some exemptions to the GDPR as part of this bill. These exemptions help to protect certain professional roles, such as journalism and anti-doping agencies.
One of the additions to the bill deals with the anonymisation of personal data. This addition states that researchers who find that they can actually identify an individual, or individuals, from data that has been anonymised must report their findings to the ICO.
This bill is not yet law, but once it has passed through both Houses it will be. At this point the previous Data Protection Act will be repealed. This needs to happen before the GDPR becomes law, in order to ensure that UK businesses and organisations comply with the requirements of the GDPR.
UK General Data Protection Regulation – non compliance
It’s vital that UK businesses and organisations comply with the requirements of the GDPR and the new data protection bill. We will take a look at some of the requirements of the GDPR soon, but let’s first examine what can happen if a business or organisation fails to comply. The full range of potential fines and sanctions has yet to be defined, but the maximum potential fine is 20 million Euros or 4% of annual turnover, whichever is higher. In reality, it’s unlikely that this maximum fine will ever be imposed but there will still be severe consequences for non compliance.
Like every Data Protection Authority (DPA), the DPO will have some leeway to decide on the fines and sanctions it imposes. But it will still be expected to liaise with others DPAs. This liason is required in order to maintain a level of uniformity regarding how data protection is dealt with throughout the EU.
Does GDPR make is necessary to always have consent?
Many businesses and organisations are under the false impression that it’s always necessary to have consent in order to process data. This is not the case. Consent is only one of the legitimate reasons for processing personal data; others include the need to process data for the completion of a contract between the data controller and the data subject and the need to process personal data in respect of ongoing legal action.
However, if consent is the legitimate reason that is being used for processing data then there are rules that need to be followed.
- Consent must always be given freely and be informed.
- Consent must be given for each different reason for which data is processed.Requests for consent cannot be hidden away in other terms and conditions for the business or organisation.
- Action needs to be taken by the data subject in order to give consent. This means that methods of getting consent such as pre-checked tick boxes are no longer legitimate.
In addition to clarifying the situation with regards to consent, the GDPR also solidifies the rights of EU citizens when it comes to how their personal data is dealt with.
The rights of EU citizens
The GDPR gives several rights to EU citizens, regarding the holding and processing of their personal data. These rights include:
- The right to be informed – this means that businesses and organisations need to inform individuals about what their data is being used for.
- The right of access – as with many of the rights, this right currently exists. But, the GDPR changes it. System Access Requests (SARs) now need to be responded to within 40 days. The other major change is that businesses and organisation cannot charge for the service, except when requests are unreasonable or repeated on a regular basis.
- The right to have mistakes rectified – this means that individuals can ask for mistakes in personal data to be corrected.
- The right to be forgotten – individuals can ask for personal data to be deleted. It’s important to note that businesses and organisations do not necessarily have to comply with such requests if they have a legitimate reason to continue processing the data.
- The right to restrict processing – this applies when an individual requests that you stop processing their personal data. It applies to the processing only and you can still retain the data if you have a legitimate reason to do so.
- The right to data portability – this means that businesses and organisations must provide individuals with a copy of the data held, in a machine readable format. What this means in practice is that it will be easier for individuals to forward data to other third parties.
- The right to object – individuals have the right to object to their personal data being processed for legitimate interest or public interest, for direct marketing or for scientific research. Processing must be stopped unless the business or organisation can show that it has a legitimate reason for processing that overrides the rights and freedoms of the individual, or that processing is required in reference to legal claims.
- Rights surrounding automated decision making and profiling – there are strict rules regarding this area, in the GDPR. They include having a legitimate reason for profiling and informing the individual of how information is being used.
You can see that there are plenty of requirements that need to be complied with, when it comes to UK General Data Protection Regulation. But, how do businesses and organisations make sure that they comply?
Responsibility for compliance with the GDPR
For the first time, with the GDPR, data controllers are not solely responsible for the protection of data. Individuals can now take action against both data controllers and data processors if they feel as though the GDPR have not been complied with, when it comes to the processing of their personal data.
This makes it even more essential that everyone involved in the processing of personal data complies with the stipulations of the GDPR.
The role of the Data Protection Officer
The rules surrounding whether or not a business or organisation needs to have a data protection officer (DPO) in place are slightly open to interpretation. The GDPR states that a business or organisation needs to have a DPO if they are involved in the processing of data which requires the need for large scale systematic monitoring of individuals, or if they process certain types of sensitive personal data.
For many businesses or organisations it may make sense to have a DPO in place anyway. The DPO needs to have extensive knowledge of the GDPR and needs to know how to plan and implement an effective data protection process. An individual with this type of knowledge could be invaluable in helping a business or organisation comply with the stipulations of the GDPR.
It’s important to note that DPOs do not need to have formal qualifications for the role. The GDPR only stipulates the knowledge that is necessary. It’s up to the business to ensure that the DPO has the right credentials for the role, and that they operate completely independently, with no influence pressed onto them. Businesses and organisations should also ensure that everyone who works there, and is involved with the handling or processing of personal data, understands the rules of the GDPR, as well as the implications of non-compliance. Providing this knowledge is an important part of any business or organisation ensuring that it complies with the UK General Data Protection Regulation.