Currently data in the UK is regulated by the Data Protection Act 1998 that followed the 1995 EU data protection directive. However, this is now being superseded by the EU General Data Protection Regulation which brings the law up to speed with new ways that data is being used. There will be tougher fines for breaches of data protection and the regulation gives individuals more say over what companies do with their data. GDPR standardises practice throughout the EU.
Even after Brexit if UK companies want to trade with companies in the EU, they will have to comply with GDPR and the UK is introducing a very similar piece of legislation. Personal data includes email marketing, social media posts, names including newsletter recipients, European cloud storage, IP addresses for websites as well as spreadsheets, photos, CCTV footage and documents.
Personal data is data that identifies a person, data under the Data Protection Act will fall under the scope of GDPR. People can ask for data at reasonable intervals and controllers have a month to respond. Controllers and processors should explain why the data is being processed, how long it will be kept and who will see it. An individual can ask for the data to be corrected or completed if they think it is incomplete or contains errors.
You need to get active consent from everyone you hold data about and you need to be prepared to delete files as required. Failure to opt-out no longer defaults to consent. Consent must be explicit and intentional. Consent gained before GDPR became law must meet the new high standard to be current. If you are in doubt, get updated active consent from all your subjects to ensure GDPR compliance.
Individuals can request that their data is deleted after it has been used which is called the ‘right to be forgotten.’ The same rule applies if they withdraw consent or dislike the way it is being processed. The controller is responsible for telling Google, for example, to delete links to copies of the data and copies of the data itself.
Businesses such as Google and Facebook share user data. GDPR has been introduced to regulate this to build trust and standardise data protection across the EU. This should reduce legal fees considerably.
GDPR will take effect across the EU from 25 May 2018 in its current form without the need for Member States to introduce their own national legislation. It applies to controllers of data who have strategic oversight of the data (such as a government) and processors (often IT companies) who process it. Controllers can be liable for a breach by one of their processors.
Controllers need to check that personal data is processed lawfully, transparently and for a specific purpose. When it is no longer needed, it should be deleted. Controllers need to record active consent to keep the data which can be withdrawn at any time.
Data breaches in the UK need to be reported within 72 hours to the Information Commissioner’s office. You should explain what data has been exposed, what impact this will have for the people involved and what steps you’ve taken in response to the breach. You must also tell the people affected or face a hefty fine. Fines are becoming much bigger and are often 2% of annual turnover rising to 4% if a controller or processor does not follow procedures. Fines still need to be proportionate and evidence of compliance with GDPR will show good faith and should reduce the fine.