Data protection: fast approaching changes for employers
There are many upcoming changes to the laws relating to data protection. These new laws will change how we collect, store and use data. For some, much work will be required, for example, a need to check consent notices to ensure they are compliant or putting in place data breach notification procedures where the new mandatory rules apply to them. For many, the new rules, which are fast approaching, will come somewhat as a surprise. So, what changes are we looking at? Primarily the changes will come from the Digital Economy Bill, the General Data Protection Regulation (GDPR), and the proposal of the new Privacy and Electronic Communications Regulations (PECR).
Digital Economy Bill 2016-17
The Digital Economy Bill has been through the House of Commons and is awaiting Report stage within the House of Lords. The Bill regulates the arrangement and services of electronic communications, and therefore has a wide range of provisions. However, the most relevant provisions are those that relate to the sharing of data and the governance of direct marketing. They cannot however be viewed in isolation of the GDPR and the proposed PECR.
In relation to data sharing, the Bill makes provision for the disclosure of certain information and provides the ability to share those data to enable an enhancement of service delivery in the public sector, including using it as a tool to prevent fraud within the sector.
Somewhat buried within Part 6, the Bill amends the Data Protection Act 1998 by adding in a section implementing a direct marketing code. This regulates direct marketing and ensures that individuals follow guidance as set by the Commissioner.
The GDPR comes into effect in May 2018 across the entire EU. Therefore, organisations should begin to work towards the GDPR requirements as soon as possible. The GDPR still applies to the UK, despite the ‘Hard Brexit’ ahead. This is because the GDPR applies to personal data of individuals within the EU and any organisations which are processing their data – even if these organisations are outside the EU and that legislation itself is highly likely to come into force prior to the UK departing the EU. It will thereafter be up to the UK government of the day to decide whether it wishes to amend or otherwise water down the new rules. Any watering down, however, could have a negative impact on trade for the reasons mentioned earlier.
There are many changes due to come into force under the GDPR. Some of the most significant changes relate to:
- obligations applying to data processors (under current rules most of the legal obligations rest with the data controller);
- the need to appoint data protection officers;
- mandatory notification of breaches in some cases;
- higher financial fines; and
- enhanced rights of data subjects.
Due to these significant changes the Information Commissioner’s Office has set out 12 steps to help organisations prepare for the GDPR. This is a useful tool for any business starting out on its journey to comply with the GDPR. We will look at a couple of areas of significance (there are too many to mention all of them here):
One of the most significant changes is that of how organisations deal with the consent of the data subject. Consent under the GDPR must be “freely given, specific, informed and unambiguous”. This means that opting out is no longer an option for organisations collecting personal data and that consent must be made by a positive indication. It's opt-in all the way. And reliance on implied consent will no longer be lawful.
The obligations and duties of data processors is greatly increased under the GDPR. Specifically, data processors will become responsible for data protection compliance alongside data controllers if they are in the EU; offer goods or services to individuals within the EU; or monitor the behaviour of EU data subjects.
Due to the increased responsibilities, certain organisations must appoint a data protection officer; this relates to both data processors and data controllers. Unfortunately the guidance thus far on the appointment of the DPO is vague at best.
Mandatory breach notification will apply to some and an organisation, where the breach presents a significant risk to the data subject, must notify the supervisory authority of a data breach within 72 hours of becoming aware of the breach. Organisations may also be obliged to inform the data subjects of certain breaches.
There has been much discussion about the level of fines to be imposed by the GDPR, and we will see much higher financial penalties imposed for the most serious of breaches, which could see organisations paying up to 4% of their worldwide turnover depending on the severity of breaches.
Data subjects will benefit from the GDPR as they will have greater rights. These include increased rights in relation to subject access rights; the rectification of data; and the right of erasure.
At the beginning of January 2017, the European Commission published its Proposal for a Regulation on Privacy and Electronic Communications. It is proposed that this new PECR will be consistent with the GDPR and would come into force around the same time. The newly proposed PECR looks to update the current EU digital privacy rules. These new regulations would apply to providers of electronic communications services as well as individuals. The privacy rules will also apply to the most up-to-date communications, e.g. WhatsApp and Facebook Messenger. Considering the current EU Directive was last updated / amended in 2009, this seems both desirable and necessary. Under the new regulations content and metadata from electronic communications must be removed or anonymised – unless data subjects have consented to the processing of such data. The implementation, including the enforcement of penalties, will be the duty of the national data protection authorities. This means that there should be consistent implementation across the EU. Whilst it is hoped to introduce the new PECRs at the same time as the GDPR, with the release of the proposal only at the start of 2017, there is much work still to be done before it becomes law.
As can be seen from the brief overview above, data protection laws are changing dramatically – and soon. Organisations should strive to begin implementing policies and procedures that comply with the changing laws now. If done, this will mean that any transition periods will be easier to navigate as they will not coincide with the implementation of new, harsher penalties. Therefore, early implementation of the new requirements will ensure that organisations are not caught out under the new legislation.
Val Surgenor, Partner, MacRoberts