The General Data Protection Regulation becomes law in the UK on 25 May 2018 and will be unaffected by our decision to leave the EU.
The General Data Protection Regulation (GDPR) becomes law in the UK on 25 May 2018 and will be unaffected by our decision to leave the EU. The regulation strengthens the rights of individuals to control the way in which their personal information is used and increases obligations on businesses to ensure that any personal data they collect is dealt with in a fair and transparent way. If you have not already familiarised yourself with the provisions of the GDPR, and audited your business to ensure compliance, you need to do this now before the new requirements come into force.
In the first of a two-part series of articles looking at GDPR, Robert Goddard, commercial lawyer with Thackray Williams, provides an overview of the key requirements. In the second article, he explains the steps you should take to prepare for them.
Key rights for individuals
Individuals will have the right to:
- be informed that their personal information is being used;
- be provided with access to that information, if they request it and usually without the payment of a fee;
- ask for inaccurate information to be rectified;
- ask for the erasure of information that is no longer needed or which they no longer consent to being used;
- ask for the use of their personal information to be restricted, if appropriate;
- use information collected about them for their own benefit, for example to help them pre-populate an internet search; and
- object to certain decisions about them being made by an automated process rather than human review.
Some of these rights are similar to those already enjoyed at the moment under the Data Protection Act, but some are very different, including the enhanced right to erase information, known as the ‘right to be forgotten’:
‘The right to be forgotten exists where there is no compelling reason for personal information about an individual continuing to be held and used, for example where it is no longer needed for the purpose for which it was collected or where use of the information was only permissible because of the individual’s consent and this has since been withdrawn. However, it is not an absolute right which means that where, for instance, there is a legal obligation to continue to use the information or where the information is needed for the bringing or defending of a legal claim, a request for erasure can be refused.’
Where someone asks for erasure and you determine that this should be respected, you will need to ensure that this occurs. You will also have to notify any third-party you have shared the information with so that they can take steps to erase it as well.
Key obligations for businesses
Businesses will have to:
- ensure that they have a lawful basis for collecting and using personal information, such as consent from the individual concerned or a contractual requirement;
- provide more information about the collection and processing of personal information upfront and in a more transparent and easily accessible way;
- maintain records about all the personal information they hold and how it is collected, stored and used (although, for businesses employing less than 250 people, this obligation will not apply unless you are undertaking what is classed as higher risk processing, for example by dealing with information related to criminal convictions and offences or which has the potential to risk the rights and freedoms of individuals);
- appoint a Data Protection Officer in certain circumstances;
- respond to requests for rectification within one month, or three months if the request is particularly complex;
- inform third-parties who have received personal data where the data in question needs to be restricted or erased;
immediately stop using personal information for direct marketing where a request for this is made;
- comply with stricter requirements where personal information is held about children; and
- notify the supervisory authority where there has been a data breach and, if the breach risks the rights and freedoms of individuals – for example, by exposing them to the possibility of financial loss, loss of confidentiality, damage to their reputation or risk of discrimination or social disadvantage – you must also notify affected individuals as well.
Again, some of these obligations already exist under the Data Protection Act, but there has been a widening and strengthening of the requirements. For example, if you are relying on the consent of an individual for the collection and use of their personal data, this consent needs to be express. You cannot rely on pre-ticked or opt-out boxes, or on silence or inactivity. You also need to ensure that where consent is given, you make it easy for that consent to be withdrawn.
The definition of personal data has been broadened to include online identifiers, such as an IP address, and pseudonymised data – that is data that has been altered to try to make it less obvious who it relates to – but from which it is still possible to determine who the individual is. For example, if you use a system which identifies individuals by a reference number that uses a combination of random letters and numbers rather than the individual’s name, this will be caught if it is possible to link the reference number back to the particular individual concerned.
Businesses will have to demonstrate compliance with the GDPR requirements or face the possibility of a fine of up to £20 million or four per cent of annual global turnover, whichever is higher.