Major new data privacy obligations on the cards for business

After substantial discussions in the corridors of Brussels a nearly final form of the General Data Processing Regulation “GDPR” has been published. Announced by Brussels as creating a “single market for data processing across the EU” it will in fact create substantial new compliance obligations for most businesses in the UK when, as anticipated, it comes into effect in 2017.

The EU’s existing Data Protection Directive of 1995 was enacted into UK law by the Data Protection Act 1998. Each EU member state was required by the Directive to enact data protection laws but there was a degree of freedom as to how restrictive those laws had to be. Germany, for example, chose to enact much tougher laws protective of “data subjects” than the UK.

The new GDPR will, in theory, have exactly the same effect in all member states and data laws in the UK and elsewhere in Europe will be brought up to the standard that currently exists in Germany. The UK Data Protection Act will be replaced by the GDPR.

Whilst the GDPR will regulate the activities of governments and big businesses that “deal in” data, like the big internet businesses that exchange services for the collection of data from their users, the GDPR will also have a profound effect on ordinary businesses that hold the personal data of their employees or customers, that is most businesses, and providers or users of hosted IT services. It has also been suggested that the comprehensive requirement to ensure that data subjects have recently consented to the holding and use (processing) of their data in full knowledge of the purpose for which it is to be processed will kill off businesses which currently sell mailing lists as they will not be able to comply with the new requirements.

Providers of hosted IT services which involve personal data and those providing cloud storage of such data will now have to enter into comprehensive contracts with their customers setting out in detail the security measures they take to protect the personal data that they hold for their clients (eg staff or customer information) and their clients may have to audit those measures to satisfy them selves they are adequate. No longer will it be possible to rely on a mere promise from the service provider to “keep the data confidential and comply with data privacy laws”. This will have a fundamental effect on much business contracting in the field of IT services. Lawfully hosting personal data in the cloud may become very difficult.

Those processing personal data or using third parties to process it for them will need in future to keep detailed records of their processing activities, contracts and security measures. Any significant loss or corruption of personal data will have to be reported to the authorities.

The currently often incomprehensible and overly broad privacy policies used by businesses to pay lip service to their obligation to inform data subjects how and why their data will be used or sold on to others will need to become much clearer and straightforward. Most privacy policies will need to be re-written specifically for the business in question. Using a “standard” will cease to be a viable option although the GDPR says that national data authorities may produce standard form contracts.

IT systems may need to be re-configured to allow compliance. For example, data subjects must have an effective right to require their data to be deleted. That would be difficult for many current systems as deletion of fields could upset historical information, rendering it inaccurate. The GDPR actually requires data protection to be engineered into new systems. Even existing arrangements will need to be updated to be compliant within two years from the introduction of the GDPR.

Penalties for non-compliance will also increase. Serious non-compliance may now be punished with fines of up to 20 million Euros or 4% of the worldwide annual turnover of the guilty party. This compares with a current maximum of £500,000 under the Data Protection Act.

Businesses generally and particularly those specifically involved in dealing in, storing or using personal data or designing IT systems that involve the processing of personal data should start planning for the proposed changes now.

ENDS

This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.  All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.