On 25th May 2018 the General Data Protection Regulations (“GDPR”) will come into force in the EU and align data protection rights for citizens in member states.
Data protection is not a new concept in the UK; we have had the Data Protection Act since 1998.
But, I have seen an increasing number of new enquiries about data breaches in correlation with the public being more savvy about their personal data. This can range from e-mails going out to the wrong recipient to data being hacked on a mass international scale. It seems you cannot get through a week without news on data protection and data breaches. There is increasing case law developing to deal with the evolving dynamics of data protection. Just this week we have had the first case in the UK brought against Google for the ‘right to be forgotten’ (this right will be introduced formally under the GDPR).
As the Data Protection Act is now celebrating its 20th birthday and the concepts of what constitutes ‘personal data’ and all the ways that it can now be breached has moved leaps and bounds it is clearly necessary for the law to catch up to the times.
As a firm committed to the safeguard of our clients’ and employees’ personal data, we have been working arduously in the background to prepare, and with about 2 months until judgment day, it’s now full steam ahead and all hands on deck. You will hear buzzwords like Data Mapping, Privacy Impact Assessment, Data Protection Officer, Privacy Notice, Subject Access Request and so forth. It is a bit of a minefield. The ICO is a good place to start to make some sense of the enigma that is the GDPR. Regulatory and governing bodies should also be issuing guidance to its respective profession and members.
The GDPR will not be a complete overhaul of what we have in place, but will look to build on strength and expand on concepts that we are used to. Although the time for reporting and compliance have been shortened and the stakes are now higher with the increase in penalty levels, therefore companies cannot afford to be complacent.
GDPR will promote a change in culture towards how we view and handle personal data with ‘privacy by design’ approaches and a shift from a tick box system towards risk based assessments. You have to opt in rather than out. Consent you provide must be given freely, specifically informed and unambiguously. You should know the purpose that your data is going to be processed and how long it will be retained before you hand over your data. Companies will have to not only demonstrate their own compliance but that of third parties that they regularly use and share data with.
With only 81 days left, time is of essence. Companies should all be gearing up in readiness for the big day, although nobody is quite sure what the legal landscape will look like on 26th May 2018 and beyond.