Wide-ranging changes to European Data Protection Law to come into force in May 2018
The General Data Protection Regulation (GDPR) was adopted at the EU level in April 2016 and will replace the current UK Data Protection Act 1998 on 25 May 2018 (see Proposed changes to European Data Protection Law and the impact of 'Brexit').
The GDPR will bring significant changes to the data protection framework in the UK, imposing new compliance obligations on a wide-range of data processing activities, from collecting customer data and data transfers to employee monitoring and the use of CCTV.
Organisations processing data (data controllers) will face stringent new conditions to obtain valid consent from individuals (data subjects). Data controllers must be able to demonstrate that the individual has consented to the processing and any requests for consent in writing must be in a form that is distinguishable from the rest of the document and is formulated in clear and plain language. Crucially, the individual must also have the right to withdraw consent at any time and it must be as easy to withdraw consent as to give it.
As a consequence of these new rules, many organisations will need to review and update existing contracts, general terms and conditions and other documents to make sure that the consent section is explicit and written in clear, simple terms.
The GDPR also strengthens the rights of individuals by introducing the new rights of data portability, the right to be forgotten and certain rights in relation to profiling. Businesses whose main data-related activity is providing services to data controllers (data processors) will face direct obligations and liability under the GDPR for the first time.
Significant sanctions for non-compliance are also promised, including new fines of up to the greater of €20 million and 4% of worldwide turnover. This applies to infringements of numerous types of breach, including a breach of the basic principles for processing, including conditions for consent, individuals' rights and the conditions for lawful international data transfers.
Ensuring compliance with the GDPR is likely to be a time consuming endeavour for organisations and will range from redesigning internal systems that process personal data to renegotiating contracts with third party data processors and restructuring cross-border data transfer arrangements. The Information Commissioner, Elizabeth Denham, has warned businesses that there is no time to delay in preparing for "the biggest change to data protection law for a generation”.
Jaymini is an associate in the Corporate team.