Data protection anoraks across the European Union (myself proudly included) eagerly awoke on 1 January this year with only one thought in mind: next year the General Data Protection Regulation (GDPR) will come into effect. After years of dialogue, tweaking, pondering and waiting, the GDPR will become applicable in the UK on 25 May 2018. Rejoice!
Although not everyone will be quite as excited about the arrival of the new data protection regime as me, it is something which everyone, particularly public sector organisations, should be aware of and start to prepare for.
What is it all about?
The GDPR will replace the Data Protection Act 1998 (DPA). While the framework of the GDPR may be familiar – the principles and many of the terms used are similar to those in the DPA – there is no doubt that in certain key areas the GDPR is a significant departure from the current legislation. It introduces:
- new accountability principle for data controllers;
- new rules on child privacy;
- a new Data Protection Officer role;
- more obligations on data processors;
- stricter consent for processing;
- significantly higher financial penalties for data breaches;
- greater rights for data subjects;
- wider jurisdictional reach;
- data breach notification requirements; and
- privacy by design.
What can you do?
It is fair to say that currently not all of the new requirements of the GDPR are clearly or commonly understood. Preliminary guidance on some of these points has started to be produced by the Article 29 Working Party and further guidance from the EU is expected. That said, we would urge organisations not to wait as there is plenty you can be doing now to prepare yourselves for the GDPR, such as:
- understand whether you need to appoint a Data Protection Officer (for public authorities this will be mandatory);
- undertake a data protection audit of your existing data processing practices;
- ensure any new procurements (particularly those for IT systems) and long standing data sharing arrangements are compliant with GDPR;
- assess and understand any potential areas of risk;
- update your data protection policies and privacy statements; and
- establish areas where you may need external legal advice.
The good news is that if you already have established and robust data protection practices in place, that work is not wasted as you can build on these practices to ensure compliance with the GDPR. Nonetheless, organisations should not underestimate the enormity of the task in hand. Put simply: there is a lot to do.
What about Brexit?
The Information Commissioner’s Office will start enforcing the GDPR on 25 May 2018. That means that, even if Article 50 of the Lisbon Treaty is triggered today, the GDPR will be applicable in the UK for many months before any exit negotiations are concluded. So, organisations in the UK will need to comply with the GDPR for a period of time at least. This much is certain.
What happens to the GDPR after the UK officially leaves the EU is less clear. Most commentators agree that it is likely that the UK will either retain the GDPR in its entirety or adopt a very similar arrangement. Our view is that adopting the GDPR would be the simplest option for the UK government since the GDPR will already be law in the UK and any UK organisations operating across the EU will need to comply with the GDPR in any event. This approach would certainly help safeguard the position in respect of international data transfer, which will be a key priority for the UK government. With that in mind, we think that the principles of the GDPR will not immediately alter following the UK’s withdrawal from the EU. This is something that we will be monitoring very closely as the exit negotiations progress.
Those of you who are thinking (or, indeed, hoping) that Brexit may have made the GDPR redundant, think again. It is time to start preparing yourself for the GDPR.
The bottom line
Time is ticking. 14 months is a relatively short period of time in which to affect positive and considered business change. At the very least, organisations should be assessing how the GDPR applies to them and the extent of the work they need to do. Embrace those internal data protection audits and do so as soon as possible.
As the Information Commissioner herself said recently: ‘There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone.’
How we can help
We have a wealth of current experience helping clients from a variety of sectors, including emergency services, regulators, central and local government and the private sector, to prepare for the GDPR, including:
- reviewing and updating privacy notices, data protection policies and procedures to ensure compliance with the new regime – in particular, ensuring that they cover all new individuals’ rights, contain appropriate procedures for notification of data breaches and adhere to the enhanced subject access request requirements;
- advising on the requirement for new Data Protection Officer role;
- workshopping and advising on ‘privacy by design’ for new IT solutions and drafting privacy impact assessment;
- ensuring that the seeking, obtaining and recording of consent meets the new requirements; and
- advising on international data transfers.
If you need any help getting your organisation compliant with the GDPR, or for advice on any other data protection matter, please contact Louisa Williams on 020 7405 4600 or email firstname.lastname@example.org.
This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published.