The GDPR came into force on 24 May 2016, with the intention of harmonising data protection rules across the 28 member states. Their further aim, following several high profile data breaches, was to both strengthen the rights of data subjects and make sure that organisations are taking their obligations of data protection seriously. Companies now have 2 years to ensure compliance with the new provisions. But just what will such compliance involve, and how will this affect your business? A brief overview of some of the key changes is outlined below.
Consent requirements are much more stringent than under the previous directive. Data subjects now have to actively ‘opt-in’ to their data being used, and their informed agreement must be unambiguously and freely given. Controllers are now obliged to show that such consent was given, as well as that they have informed and reminded users of their rights (such as the right to withdraw consent).
In a key change from the previous directive, processors are now under some direct obligations. As well as the consent obligations listed above, these include notifying the controller promptly of data breaches. And most significantly, claims for compensation will be competent against data processors for unlawful processing.
Data Breach Notification
The GDPR creates a streamlined reporting process for all member states. Data controllers now must report data breaches to the relevant authority (here, the UKICO) within 72 hours of becoming aware of it, provided that the breach will result in a risk of harm to the individual. Where the risk of harm is high, the controller must also inform the data subject without undue delay. In both cases, notification should at least mention contact details for further information, likely consequences of the breach and measures proposed to deal with the breach (reports to the authority must also include information on the nature of the breach).
Right to be Forgotten
Building on the decision in the Google v. Spain case, data subjects now have the right, in certain situations, to ask that their data be promptly erased from a company’s records. These situations are outlined in Article 17 of the Regulation and include withdrawal of consent (provided there is no legal ground for processing). Where the information has been made public by the controller, they must also take reasonable steps to inform third parties of the requested erasure. Businesses should be considering what actions they would have to take were a consumer to approach them requesting an erasure.
Tougher sanctions will now be imposed on those who fail to comply. The GDPR sets out a three-tiered system of fines, with a maximum penalty of up to €20,000,000 or 4% of global turnover. This is in stark contrast with the current maximum fine in the UK of £500,000.
Given the steep penalties in place for infringement, it is important that companies take the time now to review their current data processing to ensure they will be able to comply with the Regulation by 25 May 2018.
Partner IP & Commercial Contracts
0131 226 8208