Data protection reform is happening whether the UK votes to stay in the EU or to leave. Here Dr Michelle Goddard looks at how the changes in regulation will affect you.
This comprehensive overhaul of the data protection
framework creates a new regime that attempts to modernise data protection so it
is suitable for a digital world. The jury is still out on how successful it is
in balancing rights, but changes to be aware of are that it:
- Creates a single set of rules (but not quite) –
one of the goals of the GDPR was to create a common set of rules across the EU.
However, with more than 50 exemptions that allow member states discretion as to
how they implement the rules, they will still not be fully harmonised in key
areas, ranging from the consent age for children and the exemption for research
- Operates with extraterritorial effect – The rules apply to all organisations
that process EU citizens’ personal data, regardless of where they
are located. So if you are analysing, storing or monitoring the activities of
EU citizens, your business will fall under the regulation
- Expands the definition of personal data – what constitutes ‘personal data’
is much broader and it specifically covers ‘online identifiers’. This means
cookies and advertising IDs will be caught, along with anything that
contributes to identifying an individual, or links to such identifying
- Places greater liability on both data processors and controllers – wider
responsibilities are placed directly on data processors, who now have a much
higher risk profile. Previously, there were no direct obligations, but this has
changed under the GDPR; data subjects/individuals can take direct action
against them or the data controller
- Requires greater business accountability – some administrative burdens are lifted
because there will no longer be a need to notify the UK Information
Commissioner’s Office of how you intend to use personal data. In its place,
however, are new requirements on maintaining good records and systems, doing
privacy impact assessments and entrenching privacy by design and default
- Enhances individuals rights – data subjects will have a right to be
forgotten and to data portability, so you can be required to provide data to
individuals in a format that allows them to take it to a competitor. Existing
rights have also been strengthened considerably. There will be a right of
access to data – including the retention period – free of charge, within 30
days. There is much greater focus on the clarity of information notices and it
will be easier for people to object to different types of processing, including
profiling and marketing. Businesses have an obligation to promote these rights
- Introduces notification of data breaches – there is a new requirement to notify
data protection authorities of serious breaches within 72 hours and to let
individuals know where the breach may cause harm
- Mandates appointment of Data Protection Officer (DPO) – businesses involved in regular and systematic monitoring, or
processing of sensitive data, on a large scale will have to appoint a DPO
- Raises standards for cross-border transfers – current mechanisms such as Binding
Corporate Rules and model contract clauses will be acceptable under the GDPR.
The EU-US Privacy Shields, intended to replace the Safe Harbor arrangements,
will need to go through the process for assessing ‘adequacy’ before it can be
- Increases fines and strengthens the enforcement regime – significantly heavier
sanctions are a sea change in the data protection reforms, with fines for
non-compliance of up to €20m or 4% of worldwide turnover.
Leave or remain? Data protection compliance still needs to start now
The GDPR introduces a harmonised regime with a common set
of rules, applicable in all EU member states from spring 2018. In light of
this, one obvious issue to consider is the possible impact of the result of the
June 2016 UK referendum on EU membership.
Suffice to say that – regardless of whether the country
decides to leave or remain in the EU – it is inevitable that data protection
reform will continue to be a critical part of the legal landscape.
If British citizens opt to leave, the UK will still need
to maintain commercial and trading relationships. If it decides to join the
European Economic Area (EEA), then the UK will be required
to adopt EU laws.
If the British electorate votes to leave the EU
completely, then similar or ‘equivalent’ data protections will need to be put
in place to ensure that the UK regime for data protection is considered
‘adequate’ to allow cross-border transfers of personal data of EU citizens.
Regardless of the precise legal requirements, commercial
trade – with its increasing demands on individuals and awareness of the
importance of data control – means that data-protection reform will continue to
be a core compliance issue for all businesses, including researchers. Guidance
from regulators and EU institutions will help flesh out the nuanced detail and
implications of these reforms for researchers. In the meantime, however, all
organisations need to start a GDPR compliance project.
Dr Michelle Goddard is director of policy and standards
Mapping and representation26.04.17 | cxpartners, Bristol BS1 5UE