Whilst it has now been confirmed that we will have left the EU by the end of April 2019, this does not mean that impending EU legislation which is due to be implemented in EU member states will not be implemented by the UK. One such upcoming regulation is the General Data Protection Regulation (GDPR) which is due to be implemented on 25 May 2018.
The GDPR will replace the existing EU Data Protection Directive on which the Data Protection Act 1998 is based. The GDPR is directly applicable in each member state which means that national legislation is not necessary. The benefit of this is that, without national interference the data protection rules for all EU member states will be the same, and therefore, it should mean that compliance with the rules is easier to adhere to.
What you need to know
Whilst the underlying concepts and principles of the GDPR are the same as those under the current EU data protection legislation; there are some new concepts introduced and several key changes which you will need to prepare for by May 2018. Those changes include:
- Extending the scope of the data protection regulations to businesses outside the EU who operate within the EU;
- Enhancing and tightening the rules on consent;
- Enhancing the rights of Data Subjects and introducing new concepts such as the ‘right to be forgotten’ and the right to request data transfer to a third party (data portability);
- New reporting requirements for breaches of the Data Protection legislation;
- The introduction of the concept of Privacy by Design and the need to include data protection in your plans, policies and procedures from the outset;
- The requirement for Privacy Impact Assessments to be produced in high risk situations;
- The introduction of tougher sanctions for breaches of the Data Protection legislation;
- The introduction of a requirement for Data Protection Officers to be appointed in public authorities and organisations conducting high risk activities.
Whilst the above key changes are by no means the full extent of the changes introduced by the GDPR, they are a snapshot of some of the most important changes that your business needs to be aware of.
For most UK business the change likely to have the biggest impact is that relating to consent. Under the GDPR consent must be informed and must be given by an affirmative action. Silence, pre-ticked boxes and/or inactivity will not be sufficient. Furthermore, these provisions will apply to data acquired prior to the GDPR coming into place as well as data to be acquired after April 2019.
One key effect of this will be the need for businesses to review the data which they currently hold to determine what consent, if any, they have in respect of that data. Where any consent has not been fully informed, or expressly given, the business will need to consider deleting that data or contacting the data subject to get express informed consent, that is unless one of the other lawful processing conditions applies. The impact of this on such things as marketing databases could be significant.
If you would like more detailed information in relation to the GDPR and how this will affect your business please do not hesitate to contact a member of our Data Protection Team.