Data Protection New Regime To Apply From 2018
In December 2015 the text of the new General Data Protection Regulation (the GDPR) was finalised. The GDPR will replace all current national data protection laws within the EU as the aim of this new legislation is to provide a single data protection law that applies across the whole of the EU. The GDPR will be formally adopted by the European Parliament in 2016 and it will come into force 2 years after that date. As a Regulation the GDPR will come into force automatically in all member states of the EU without the need for national implementing legislation although amendments to UK legislation which is inconsistent with the GDPR will need to be made.
Key points to be aware of:
- Silence, pre-ticked boxes or inactivity will no longer constitute consent to the processing of personal data.
- The current system of notification in the UK will be replaced by a requirement for data controllers to keep internal records in relation to the data processed;
- Security breaches must be reported to the Information commissioner within 72 hours after the data controller becomes aware of the breach. Currently there is no obligation to notify the ICO of any breach.
- Fines will increase from a current maximum of £500,000 to 4% of global turnover in the year preceding the breach or Euro 20 million for the most serious breaches and 2% of global turnover or Euro 10 million for other breaches.
- The rights of data subjects have been widened to include (amongst other changes) the right to be forgotten which means that data subjects will be able to request that their personal data is erased and no longer processed.
- If processing personal data in relation to children under the age of 16 the consent of the person with parental responsibility for the child must be obtained.
- Businesses whose core activities require the processing or monitoring of personal data on a large scale will be required to appoint a data protection officer. The data protection officer can be a staff member or an external contractor and they can be appointed in relation to a group of undertakings.
Over the next 2 years there is much that business will need to do to prepare for the new regime. For more information about how the GDPR may affect your business talk to Tollers on 01908 396230 and ask for Liz Appleyard in our Commercial Law Team.