Earlier in 2016, the EU regulators adopted a new EU data protection framework, which will come into force in all EU countries on 25 May 2018. It takes the form of a regulation, which means it is binding on all member states, without the need for national legislation. The new General Data Protection Regulation (GDPR) replaces the current directive and places new and heavy obligations on those affected. In order to comply, all relevant firms within the EU will need to invest considerably. But before we look at the likely impact of Brexit on these new rules, let us take a brief look at what is involved here.
Data processors outside the EU The new GDPR includes all data controllers and processors that are located outside the EU, if some (or all) processing activities are directed at data subjects within the EU. Under current legislation, this is not the case. Under the new rules, many external organisations will be required to appoint a representative in the EU.
Expanded role for data processors The new rules impose onerous obligations and responsibilities on data controllers. These include:
- Carrying out a risk assessment on processing procedures. Controllers must implement new procedures, identify high-risk operations and consider the potential risks. There are significant fines for getting this wrong;
- Implementing data protection by design and by default Ensure that privacy for data subjects is properly protected;
- Keeping a detailed written record of processing activities carried out by each controller;
- Appointing a Data Protection Officer, (DPO) if the processing is carried out by a public authority, or is considered to be on a “large scale”;
- Appointing an EU representative if the organisation is not established in the EU;
- Notifying any data breach to the Data Protection Authority (DPA) within 72 hours. In most circumstances the breach should also be notified to affected subjects without undue delay;
- Providing information to data subjects at the same time as the data is obtained. Existing procedures that provide for “fair processing notice” will need to be checked, as the new requirements in the GDPR are much more detailed and demanding; and
- Obtaining the consent to the processing of a subject’s personal data. Consent must be as simple to withdraw it as it was to give in the first place. Explicit consent must be obtained for the processing of sensitive data. Existing consents will only apply if they comply with the new conditions
Fines A tiered penalty system has been established, ranging from fines of two per cent of worldwide turnover plus 10m for each breach, up to four per cent ? five per cent of turnover and 20m for each breach.
New European data protection board ? An independent EDPB will be set up to replace the existing “Working Party”. Its obligations will include providing opinions and guidance, and ensure the consistent application of the GDPR.
Binding corporate rules ? BCR’s must be legally binding on every member of the group of undertakings/enterprises, inside or outside the EU, including staff.
International transfers of data ? The issues of a “safe harbour” have not yet been fully resolved, but the new regulations include many new requirements, such as whether data subjects have been properly informed of the risks of transfer.
Data subjects’ rights ? The new regulations considerably reinforce individuals rights as can be seen from the foregoing. It includes the right to have access to subjects’ data, the right to restrict or object, the right to receive back their data in a commonly used format, and the right to erasure and to “be forgotten”.
Read on to find out how Brexit and GDPR will affect firms within the UK.