25th May 2017 marks the one year countdown to the enforcement of the European Union’s General Data Protection Regulation (GDPR). It has been four years in the making and its effects will be significant.
The GDPR is not only wider in scope than the existing 1998 Data Protection Act but also in terms of the associated fines., It gives citizens control of their personal data and privacy down to a detailed level.
What is the GDPR for?
It’s designed to strengthen data protection for individuals, while clarifying the legal position and framework for those who keep and use personal data. And it’s backed by penalties. Companies could be fined up to 4 per cent of their worldwide annual turnover or €20 million, whichever is greater, for a breach of the GDPR. The regulation comes into effect in May 2018 and applies to the UK despite the Brexit vote.
Do you need a DPO?
Within the EU, public bodies and organisations which carry out large-scale processing of the most sensitive types of personal information will be required to appoint a data protection officer (DPO). It’s the DPO’s job to independently supervise compliance with the GDPR. The challenging and vital nature of this role means that expert knowledge of data law and practice is essential.
One key change is around consent. Under the GDPR, data controllers must go to greater lengths not just to obtain consent, but to demonstrate how and when that consent was obtained. This means all activities that result in a customer’s data being collected must have an active ‘opt-in’ policy. It will no longer be enough to infer consent from silence or failure to uncheck pre-ticked boxes, for example.
In addition, a person can withdraw their consent at any time, and provision must be made to ensure doing so is as simple and easy as giving it.
Subject access requests and erasure
Under the GDPR, anyone can request a copy of the data an organisation holds about them, as well as details as to why it has this data and where it came from. Unless evidence can be provided that these requests are unfounded or excessive, then they cannot be refused or charged for.
The data subject has the right to request erasure of personal data related to them on any one of a number of grounds including where the legitimate interests of the controller is overridden by the interests of the data subject.
The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” Such a breach must be reported within 72 hours of discovery.