6th Jul // 2016
Although there's uncertainty around Brexit, it seems likely that there will be major changes around Privacy and Data Protection in the UK. The changes are in the form of an EU Regulation. Up to now, Regulations automatically became law in all EU states. However the recent referendum result means that this may not happen in the future, although as the implementation date is May 2018, it's likely that this will also come into force in the UK. What is certain is that the regulation will apply if you deal with any other EU states and given the timescale, it is something that is probably worth ensuring you comply with.
The new law is the General Data Protection Regulation or GDPR. It consists of 173 Recitals and 99 Articles. The Regulation was approved by the EC in April 2016 and in the UK the Information Commissioner's Office (ICO) will be publishing detailed guidance about compliance in conjunction with a European Working Party. Up to now the ICO have published a 12 step guide about what you should be considering and their detailed guidance will be available over the coming months and will be in three phases – familiarisation, guidance structure and bulk guidance. The office has said that where possible they will adapt existing Data Protection Act guidance. In a statement issued after the referendum result, the Information Commissioner Christopher Graham said that the organisation would be speaking to the Government about the impact of the result but it was of the view that UK data protection law does need reforming.
From a business point of view, all data controllers - ie most organisations, will need to review the guidance to make sure they comply. Compliance with the current Data Protection Act will not mean compliance with the new GDPR. As well as some changes and some more stringent guidelines, the penalties for not complying have also increased substantially – they are now up to 4% of global annual turnover. There is also an obligation on hosting companies as well as the organisations themselves and the legislation will cover the way data is held and the time for the reporting of any data breaches.
In broad terms, the legislation covers the rights of individuals, concerning fairness, consent, transparency, access, the rights surrounding rectification and erasure (the so-called “right to be forgotten”) and data portability.
We’ll be covering this in more detail over the next few months and we are also working on a piece of software – for legal firms and for end users - that could help manage the change. If this is of interest please contact us and we can let you know when it is available.