According to IBM, more data has been created in the past two years than ever before, with an estimated 2.5 quintillion bytes shared every day. People are posting to social media, shopping online, and consequently, sharing their personal information with multiple companies all over the world. That’s why data protection legislation is changing.
With data growing at an unprecedented rate, protection of this personal information is getting stricter. Trust and integrity are important to individuals who share their details and it is essential that businesses respect this by using data appropriately and transparently. This is why, as of May 2018, the Data Protection Act 1998 will be replaced with the European-wide General Data Protection Regulation (GDPR). It will overhaul the current legal framework and will see the law get tougher on the collection of data and the role of consent.
Although the GDPR is EU legislation, bosses hoping to hide behind Brexit will need to rethink their strategy – unlike EU directives, the GDPR’s regulations will come into effect immediately. As of spring 2018, UK businesses will have to abide by the rules. Similarly, another big impact that the new data protection legislation will have on businesses is the number of firms that will have to comply with its new regulations.
The legislation applies to any business which offers goods or services to, or monitors the behaviour of, individuals residing in the Union, regardless of its location. Therefore, even those businesses outside of the EU will have to set up robust processes and policies.
One of the biggest changes to data protection legislation is the role of transparency. Whilst this element had implicit requirements in the Data Protection Act 1998, its significance will now be elevated. In order to be transparent, businesses have to be open with individuals about how data is collected and used. It is therefore critical that organisations review the ways being used to gather personal information, as well as policies on data retention and how data is shared with third parties.
Firms will also have to demonstrate compliance with the new data protection legislation when it comes to accountability. It will be imperative that businesses update procedures and policies by keeping meticulous records of documents, carrying out Privacy Impact Assessments, and implementing Privacy by Design and Default in all activities. Demonstrating accountability will demand a greater input of time and energy from bosses, to make certain that they are minimising any potential risks in breaching the law.
Consent is another aspect that has been changed substantially under the new regime. Consent will need to be explicit, specific, unconditional and capable of being easily withdrawn, so businesses can no longer rely on silence, inactivity, default settings or pre-ticked boxes as the basis for permission. According to the ICO’s draft guidance, organisations will now have to identify any third parties who are going to rely on consent to use personal information.
Businesses will no longer be able to rely on the “we may pass your data to partners of our choice” statement. In light of these changes, businesses that rely on consent as the basis of any processing should review the suitability of this approach and see whether there is another lawful basis that can be used instead.
Although the GDPR will come into force in over a year’s time, it is crucial that bosses do not dwell and start acting now to safeguard themselves from not only increased fines, but the devastating reputational damage a data breach can have on a firm.
Andrew Hartshorn is a partner in the information law team at Shakespeare Martineau.