EU DATA PROTECTION – HOW IS THE LAW CHANGING AND WHAT DOES IT MEAN FOR THE UK?

The EU General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and regardless of whether the UK has by then invoked Article 50 of the EUR Treaty to leave the EU, the GDPR will have the same impact on companies within the UK as it will on any company in the world that deals with the personal data of EU citizens.

EU DATA PROTECTION – HOW IS THE LAW CHANGING AND WHAT DOES IT MEAN FOR THE UK?

The EU General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and regardless of whether the UK has by then invoked Article 50 of the EUR Treaty to leave the EU, the GDPR will have the same impact on companies within the UK as it will on any company in the world that deals with the personal data of EU citizens.

The Data Protection Directive 1995 and the Data Protection Act 1998

As it stands, the UK is governed by the Data Protection Act 1998. This is the UK’s implementation of the EU’s Data Protection Directive 1995 (1995 Directive), which itself was enacted in response to the preponderance of personal information flowing across international borders within and outside the EU. 

The 1995 Directive set out the framework within which data subjects’ personal data could be lawfully processed by a data controller. To unpack this slightly, “personal data” is any information relating to an identified or identifiable natural person; a “natural person” is an individual; and a “data controller” is the natural person or organisation responsible for the choices regarding the purpose and means of processing an individual’s data. Responsibility for complying with the 1995 Directive rests with the data controller. 

The definition of “data processing” under the 1995 Directive is:

"any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction".

Essentially, anything a company or “data controller” wishes to do with an individual’s personal information is likely to amount to data processing under the 1995 Directive, which was of course the deliberation intention of such a wide ranging definition. The following key principles are central to the 1995 Directive:

1.    Data Protection must be lawful. 

  • The data subject must have given unambiguous consent.
  • Processing must be necessary for the performance of a contract or other legal obligation to which the data controller is subject.
  • Processing must be necessary to protect the “life or death” interests of the data subject.
  • Processing must take place in the performance of a task carried out in the public interest.
  • Processing must be necessary for the purposes of a legitimate interest of the data controller.

2.    The Principles of Data Quality must be implemented.

  • Personal data must be processed fairly and lawfully. Lawfully means within the bounds of existing data protection law. Fairness is principally about transparency.
  • Personal data must be collected for a specified purpose. That purpose can be any lawful purpose, as long as it is specified and explained to the data subject.
  • Personal data must be adequate and relevant. Adequacy means that the data controller should hold no more data than is necessary to fulfil its legitimate purpose.
  • Personal data must be accurate and up to date.
  • Personal data must not be stored for longer than necessary and must be specific to the purpose for which they are to be collected.
  •  

3.    Data subjects have the right to obtain information about who holds their
       data. They also have the right to access that data and to object to its
       processing.

The scope of the 1995 Directive is not limited to the EU Member States but any organisation in the world that deals with the personal data of EU citizens. EU domiciled companies that process data cannot send that data to “third countries” outside the EU unless the relevant organisation within that third country has in place rules regarding data protection that meet the conditions of the 1995 Directive and specifically the following conditions:

  • the data subject consents to the transfer;
  • binding corporate rules exist to protect an individual’s data; or 
  • standard contractual clauses have agreed that meet the conditions of the 1995 Directive.

The General Data Protection Regulation 2016

It is over 20 years since the 1995 Directive was enacted and, in the meantime, the landscape for data processing has changed dramatically. Since 1995 we have been confronted with the enormous advancement of internet devices, the emergence of online retail, and the propagation of entirely new industries based on the use of individuals’ personal data. It is in this radically changed context that the GDPR has been agreed.
The GDPR will replace the 1995 Directive in its entirety and will be directly applicable to European Union Member States without the need for implementing national legislation. It will also effectively be directly binding on countries outside the EU and therefore, where the data subjects are within the EU, Brexit will be of little consequence from a data processing perspective.

The following key changes will be brought about by GDPR:

Territorial Reach – GDPR applies to any organisation whose processing activities relate to offering goods and services or monitoring behaviour within the EU, even if they are not established in the EU.

Accountability – Onerous obligations will be placed on data controllers to establish that they are complying with the 2016 Regulations.

Consent – must now be freely given, specific, informed and unambiguous. It can also be withdrawn.  Existing consent will still be effective provided that it meets the new conditions.

Direct Marketing – The right to object to data being used for marketing purposes must be specifically brought to data subjects’ attention.

Notification – of data breaches must be brought to the attention of the Data Protection Authority without undue delay.

Data Protection Impact Assessments – must now be undertaken, essentially reviewing the potential for and consequences of a breach of data protection rules.

Sanctions – Fines for certain infringements can now  be up to 4% of annual worldwide turnover or €20 million, whichever is the highest. This is a marked increase.  

Binding Corporate Rules – must now be explicitly stated to legitimise intra-group international data transfers.

Lead Authorities – GDPR introduces a system allowing Data Protection Authorities in different Members States to co-ordinate with one another.

Data Protection Officers – must be introduced by (i) public authorities (ii) data controllers processing data subjects on a large scale; and (iii) organisations whose core activities are processing special categories of data on a large scale.

Right to be Forgotten – Individuals have the right to require that their personal data is erased without undue delay.

Looking Forward

Although GDPR will not come into force for the next two years, preparation will be necessary in order to minimise the risk of non-compliance. GDPR will be of direct relevance to all companies dealing with data in the EU and any organisation found to be in breach of GDPR will be subject to a fine of 4% of its annual global turnover or €20 million, whichever is greater.  

The onus is on the data processor to ensure compliance so now is the time for companies to review and update their policies, procedures and contracts in line with GDPR and to prepare for a new and very different legal environment.

Katharine A. Lawrie

July 2016