A new data protection and privacy regime

Image: Shutterstock

Whilst the regulations won’t come into force until early 2018, the scope and potentially onerous requirements of the new data regime for business means companies must prepare now for its implementation. The key areas you must know?

Extension of territorial reach

The regulations extend to data controllers and processors beyond the EU whose activities relate to the “offering of goods and services” to EU data subjects or “monitoring” of EU data subjects. If your website is merely accessible to EU citizens but not aimed at them, then it is less likely you will be caught by the regulations. However if your website uses the same language or currency of one or more member states and/or allows goods/services to be ordered by EU citizens then its more than likely a company based outside the EU will be subject to the regulations. “Monitoring” will cover any form of tracking of individuals e.g. techniques for behavioural targeting.

Accountability and privacy by design

The regulations impose onerous obligations on businesses to demonstrate they are compliant. For example, where a business “controls” the data use, they will be required to: (a) maintain certain documentation; (b) engage in a data protection assessment for certain high risk processing and (c) implement ‘data protection by design’ and by default e.g. to minimise the data captured.

Data subject consent

The Regulations make it clear that a data subject’s consent to process their personal data must be freely given, informed, specific and unambiguous, demonstrated by either a statement or clear affirmative action. It can be withdrawn and “explicit” consent must be given for sensitive data. The data controller must be able to demonstrate such consent was provided. In determining whether consent has been freely given the guidelines suggest that data authorities will take into consideration whether consent has been freely given – for example where e-commerce services are made conditional upon agreeing to a companies’ privacy policy then this is unlikely to be regarded as freely provided consent. Where data subject’s personal data is processed for direct marketing, the data subject will have the right to object.

Read more on data:

• Barclays encourages UK SMEs to use big data for growth with new online service
• Companies that safeguard data privacy will reap rewards
• Security of personal data – are you complying with your obligations?

Notification of a data breach

Currently there is as a general rule no absolute requirement on companies to notify Information Commissioner of a breach of the Data Protection Act. The regulations change this. As from 2018, any breach or suspect breach must be notified to the DP Authority without undue delay and where possible within 72 hours of awareness.

Fines

Presently, the maximum fine that the UK Information Commissioner can impose for DP breaches is £500,000. The regulations dramatically increase the sanctions available with DP Authorities able to impose up a fine equivalent to four per cent of a companies’ annual worldwide turnover for a breach.

No more notification requirements

Its not all doom and gloom for businesses. One welcome change is the removal of the requirement to notify or register (and pay a fee) with the DP Authority. The onus is now on the individual company to self-police.

Read on to find out what your company should be doing now to prepare.

Share this story