If it was not already on your (or your clients’) radar, data protection laws in the EU are changing substantially on 25 May 2018 when the General Data Protection Regulation (GDPR) comes into force. Brexit will not affect the introduction of the GDPR in the UK. The UK Government and the Information Commissioner (“ICO”) have made it clear that the changes brought in by the GDPR will continue after Brexit as implemented through a data protection bill (currently in draft form).
EU lawyers will be familiar with changes introduced by the GDPR. They include many additional and more onerous obligations such as detailed record keeping and documentation requirements, and some significant new data protection concepts. In addition, the penalties for getting it wrong are much more severe than under current data protection law with potential fines of up to 4% worldwide turnover or €20m (whichever is greater).
Law firms located outside of the EU should take note that one of the key changes introduced by the GDPR is to extend the territorial scope of EU data protection laws so that many non-EU businesses who market to, or monitor (including online profiling), consumers in the EU will be directly subject to the GDPR. There is also a requirement for organisations subject to the GDPR’s “long-arm” jurisdiction to appoint an EU based representative.
Other key features
- For some businesses, a requirement to appoint a data protection officer (DPO) and to carry out a data protection impact assessment;
- Direct obligations and liability on data processors and, for data controllers, more detail required in contracts between data controllers and processors;
- The “Accountability” concept, with increased record keeping obligations;
- Higher standards for consent – existing consents will not be valid and it will be much harder to obtain a valid consent;
- Enhanced data subject rights including, new rights to “be forgotten” and to data portability;
- More information to be provided in privacy notices;
- Increased data security obligations with the principles of data protection “by design” and “by default”;
- Mandatory data breach reporting to the ICO within a short time of a breach arising;
- For multinationals, the ability to deal with one “lead supervisory authority”.
We have been providing a lot of advice to clients, both in terms of their regulatory obligations where the businesses hold a lot of sensitive data on their customers, as well as in respect of their employees in the UK. This is particularly the case where data is also going outside the EU, to parent companies in (for example) North America.
We have also been assisting our clients through GDPR readiness projects and data audits. The GDPR may require significant changes for businesses and as some of these changes require substantial lead time, the sooner preparations are started the better.
In particular we are:
- Advising on the appointment of a Data Protection Officer (DPO), and carrying out privacy impact assessments;
- Reviewing / updating data protection policies and privacy notices;
- Advising on the HR aspects of data protection, including drafting staff data protection policies and advising on communications monitoring, recruitment and selection;
- Providing data protection training to organisations;
- Advising on consent mechanisms and on other legal basis for processing personal data;
- Drafting data retention policies, and data breach incident response plans;
- Reviewing / drafting / amending data processor agreements, with vendors or clients;
- Advising on implications of GDPR in specific areas such as profiling, use of biometrics, and compliance with new data subject rights;
- Implementing international data transfer arrangements, including Model Clauses, Privacy Shield and Binding Corporate Rules;
- Advising on the scope of, and how to implement, the new rights “be forgotten” and to data portability;
- Advising in relation to data breaches / cyber-attacks for compliance and damage limitation;
- Liaising with the ICO and assisting clients with investigations;
- Checking post-implementation changes.
Draft data protection bill (DP Bill)
We are also consulting the DP Bill in relation to our data protection work. The DP Bill was published on 14 September 2017 and aims to modernise the UK’s data protections law and ensure that the UK is prepared for the future after it leaves the EU.
The DP Bill is drafted with explicit reference to the provisions of GDPR and implements the standards and concepts introduced by it. In addition, the GDPR gives member states limited opportunities to legislate on data protection matters. This includes where the processing of personal data is required to comply with a legal obligation, relates to public interest issue or is carried out by a body with official authority. Processing of employee data is another significant area where member states may take their own approach. One element of the DP Bill is to give more details in relation to these matters. It is therefore important the GDPR and the DP Bill are read side by side.
However, the DP Bill is not limited to GDPR provisions. It also covers:
- processing that does not fall within EU law, for example, where it is related to immigration (although GDPR standards are applied);
- exemptions which have worked under current UK data protection law such as in relation to research, financial services, journalism and legal services;
- the implementation of the EU’s Law Enforcement Directive (part of the EU’s data protection reform which is separate from the GDPR);
- national security which is outside the scope of EU law (for example, applying internationally recognises data protection standards to the intelligence services); and
- the duties, functions and powers of the UK’s data protection authority (the ICO).
The DP Bill is very much in draft form and there is no guidance yet in relation to it. However, we will continue to monitor any developments in respect of the DP Bill and guidance as may be issued by the UK government or the ICO.