Major changes to data protection law under GDPR

Tighter laws governing data protection come into force on 25 May 2018, giving citizens and consumers across the UK and the rest of the European Union greater protection against the risk of the misuse of personal data.

The General Data Protection Regulation (GDPR) imposes stricter laws on all business organisations that collect and process personal data on individuals. The UK Government is already preparing to pass similar legislation so that the GDPR rules will effectively remain in force once Brexit is finalised.

What is the GDPR?

The GDPR is an EU regulation tightening the previous law on data protection in two important aspects:

  • It gives individuals more control of their data.
  • It simplifies the legal framework in relation to data protection rules across the EU.

The majority of business organisations must understand that the GDPR effectively imposes more onerous duties on them in relation to the personal data they control and process. Notably, this includes tightening the rules on obtaining consent, and maintaining records of both the personal data itself and data processing activities.

The GDPR therefore applies to both ‘controllers’ and ‘processors’ of personal data. A controller determines the purpose and means of processing the data, while a processor is responsible for processing it on behalf of a controller. Failure to keep records as required will be a breach of the rules.

That said, the Information Commissioner’s Office (ICO) has given assurance that businesses who are already compliant with the previous data protection rules are well on the way to being compliant under the GDPR.

What is ‘data’ for the purposes of the GDPR?

Personal data means any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. This includes:

  • Personal data which identifies an individual, for instance, their email address, internet address, home address, mobile phone number.
  • ‘Sensitive’ data ranging from genetic, religious, political or sexual orientation.

Who do the new rules apply to?

The rules apply to all businesses, including sole traders, who control and or process data. It also applies to businesses collecting data from both consumers and those in business – it is not restricted to business collecting data from consumers.

However, whilst there is no exemption under the GDPR for small businesses, businesses employing fewer than 250 people are not required to keep records, unless there is a potential risk to the rights and freedoms of the individual on which data is held, or the data is within a special category, such as sexual orientation.

What consents are required?

There are stricter requirements in relation to consent than under previous laws. For example, it is no longer sufficient to rely on default consent or pre-ticked boxes. Consent must either be genuine and explicit, or the data must be processed on an otherwise lawful basis.

Individuals from whom consent is required must provide explicit and clear consent to the controlling and processing of data. It is critical that every business knows it can no longer rely, in email marketing campaigns and the like, on blanket consents or other forms of default consent.

What rights do individuals have?

Individuals have the right to ask an organisation for the information it holds on them. This must be provided within one month of the request, though this can be extended by another two months if the requests are numerous or complex.

No charge can be made by the business, unless the request is manifestly unfounded or excessive – in which case only a reasonable fee can be charged.

What should I be doing to be GDPR compliant?

As a business, you should have already made the necessary steps to ensure you are compliant. If not, the ICO has provided a range of valuable resources for businesses planning and reviewing their data protection processes and procedures to ensure they are compliant with the new rules. This includes:

In addition, businesses need to check their own specific trade or regulatory bodies who are expected to have produced guidance focused on their sector/industry.

What happens if I breach the new rules?

The sanctions that may be imposed by the ICO in the event of a breach may be significantly harsher than those under the previous rules. The GDPR allows a fine to be imposed of up to €20 million or 4 per cent of turnover (whichever is greater), for serious breaches; and up to €10 million or 2 per cent of an organisation’s global turnover (whichever is greater) in lesser breaches.

See a specialist commercial or data protection solicitor for legal advice on how the GDPR applies to your own business.