The new General Data Protection Regulation – what it means for you

At last, the text of the new General Data Protection Regulation (GDPR) has been agreed, four years after the first draft was published. It is due to come into force in 2018.

What are the main changes?

• Fines - Much larger fines for breaches – whereas the UK data protection watchdog, the Information Commissioner’s Office (ICO), currently has the power to fine organisations up to £500,000, when the GDPR comes into force organisations can be fined up to 20 million euros or 4% of their global turnover, whichever is the larger. Although this is smaller than original proposals (100 million euros or 5% of annual turnover), the level of fines is eye-watering and should ensure that data protection becomes a fitting subject for Board level discussion and accountability.

• Power to the people – the focus of the GDPR is very much on putting data subjects in control of their personal data. If you currently rely on the consent of individuals, you need to be aware of the tightening up of the rules:

• Consent cannot be buried in Ts and Cs; you will need to point out to individuals how their personal data will be used;
• Consent can be withdrawn at any time and this must be explained to individuals before it is obtained;
• To be freely given (and therefore lawful), consent cannot be presented as a “take it or leave it” option.

• Data Protection Officer – certain organisations will be required to appoint a Data Protection Officer. In previous proposals, the threshold was either the number of employees (250 minimum) or the number of data subjects whose personal data was being processed (5,000). Now more complex requirements are in place before the threshold is reached for the mandatory appointment of a data protection officer:

• where processing is carried out by a public authority; or
• where the core activities of the data controller require systematic and regular monitoring of data subjects on a large scale; or 
• where the core activities require processing on a large scale of special categories of data.

• More accountability – the GDPR sets out new responsibilities for organisations, including:

• Implementation of data protection policies;
• Record keeping obligations by data controllers and data processors;
• Prior consultation with the ICO in high risk cases;
• Notification to the ICO of data breaches within 72 hours of an incident being discovered, and obligation to notify individuals where risk is high.

• Direct applicability – whereas the EU Data Protection Directive had to be implemented into domestic legislation (in the UK via the Data Protection Act 1998), the GDPR becomes law immediately in all member states when it comes into force in 2018. The idea is to ensure harmonisation of the legislation across borders, although inevitably different member states will have their own interpretation of the same legislation.

• Wider scope – the GDPR will apply to organisations with no establishment in the EU, provided they offer goods or services to individuals in the EU or monitor their behaviour in the EU. It does not matter that payment is not required for the organisation to be caught by the new legislation, so this will capture most websites and apps where cookies/usage information is retrieved.

• Restrictions on overseas data transfers – the GDPR has expanded the opportunities for lawful transfer to territories outside the EEA that are not declared as having adequate data protection regimes in place, which will now include:

• Binding corporate rules;
• Standard contractual clauses adopted by the European Commission or the ICO (and approved by the EC);
• Other contractual clauses authorised by the ICO;
• Approved code of conduct;
• Approved certification mechanism.

Standard contractual clauses and binding corporate rules have been around for some time. Organisations that have been hit by the withdrawal of the “safe harbour” regime for transfers to the US may take some comfort from the expanded opportunities above, but it remains to be seen how these will work in practice.

What should HR be doing now?

The ICO has indicated that it will be preparing detailed guidance to organisations to help them prepare for the changes ahead. Processing of personal data is part and parcel of the HR function, and, given the potential size of fines, it is imperative that all organisations have clear processes in place for the management of personal data – for staff, customers and any other parties. HR should be involved in establishing an accountability framework within the organisation, ensuring that staff are trained properly and that impact assessments are put in place to review any risky processing activities. 

For more information, contact Piers Leigh-Pollitt