14 August 2017
Data Protection – so what’s changing?
The headlines scream the message that individuals will regain control over their personal data and organisations in breach of the new regulations will face heavy fines. So how will the new General Data Protection Regulations (GDPR) differ from the current Data Protection Act (DPA) when they come into force on 25th May 2018? The adoption of GDPR was announced on 27th April 2016 but it was only last week that it became clear how the regulations would be adopted by the UK.
The government’s aim is to increase trust and confidence in the digital economy. The changes, however, elevate data protection from an IT department issue to board level. There are still grey areas and the bill still has to pass through Parliament – nonetheless, the key strands are apparent.
The GDPR will strengthen the UK Information Commissioner’s powers. The most striking are the penalties that can be levied. The current maximum fine for a serious breach of data protection law is £500,000. Under GDPR this could rise to a maximum of £17m or 4% of global turnover.
The most significant change from the DPA is company accountability and governance. If you process any personal data, whatsoever, you will be subject to the new regulations and there will be considerable legal liability attached to this. This liability applies both to ‘controllers’, who specify how the data is processed, and to ‘processors’ who act on the controller’s behalf. The GDPR places specific obligations on processors to maintain full records of their activities and be able to demonstrate that these are lawful under the regulations. In addition, controllers have the new obligation of ensuring any contract with a processor complies fully with the GDPR.
The GDPR creates a number of new rights for individuals and strengthens many of the rights that currently exist under the DPA. Proposals likely to be included in the bill cover:
- scope – redefining personal data to include IP addresses, DNA and cookies.
- consent – requiring that firms obtain ‘explicit’ consent to hold and process data and are fully transparent, usually through a privacy notice, about how any data is to be used.
- changes – making it far simpler for individuals to withdraw consent for their data to be used, or to ask for it to be deleted or to be rectified if it is inaccurate. It is incumbent on the firm to inform any third parties to whom they have given the data of the required changes.
- access – granting individuals far freer access to the information organisations hold on them and allowing them to obtain and reuse their personal data across different services.
- automated decisions – creating safeguards against automated decision making about the use of data. All decisions will require human involvement.
- identification – making reidentifying people from anonymised data a criminal offence.
The implications of all this are huge. Companies will need to understand what data they hold or are responsible for, where it came from, on what basis it was provided, whether they have the necessary consents, where and how the data is stored, who uses it and for what – and, above all, are these uses lawful. They will also need to assess their cyber protection – both from user error and external attack – the regulations demand that ‘state-of-the-art’ technology is used. In addition, they will need to review their systems, such as their breach notification process.
Richard Grainger, Centor’s Broking Director, commented: ‘This is a complex step-change in the rules governing data protection, which will be challenging for all organisations, whatever their size. The 25th May 2018 is not far away. Centor is ready to help with both professional advice and insurance protection.’
For more information, get in touch with:
0207 330 8705