As technology rapidly advances and is increasingly relied upon in many aspects of life, we consequently live in an increasingly data driven world. This widespread use of technology and data driven content is a considerable change from the time when the old data protection legislation was established. The potential for personal data abuse, theft, loss and privacy breaches is significantly higher than it was just a couple of decades ago and so the need for a solid legal data protection framework is much more apparent. Taking this into account, the aim of the European legislators was to provide a much more harmonised legal framework for data protection across the member states and to protect all EU citizens from privacy and data breaches.
In April 2016, after nearly four years of negotiations, the European Parliament and the Council adopted the General Data Protection Regulation, which replaces the old legislation and has direct effect in all EU member states without the need for further implementing legislation. GDPR is designed to benefit both individuals and organisations by increasing legal certainty, reducing the administrative burden and cost of compliance for organisations that are active in more than one member state and, importantly, enhance consumer confidence in the single digital marketplace.
Whilst this has been achieved in part, during negotiations opinions differed on a number of matters and in order to reach political agreement there remain a number of areas covered by the GDPR where member states are allowed to legislate differently in their own national data protection laws. Therefore, whilst the GDPR does build a more harmonized framework, it is likely that there will continue to be significant differences in data protection laws and enforcement practice among member states as a result.
It is the Data Protection Act 2018 (the “DPA”) which sits alongside the GDPR and sets out the data protection framework within the UK. It regulates the processing (including the collection, use, storage, disclosure and destruction) of personal data about individuals, and supplements and tailors the GDPR. It also extends a modified GDPR to some other (rare) cases which fall outwith the scope of GDPR itself (e.g. such as processing for national security or defence purposes) and sets out separate regimes for law enforcement authorities and intelligence services. Post-Brexit, the GDPR will continue to form part of UK law as a result of the European Union (Withdrawal) Act 2018, with some technical changes to make it work effectively in a UK context.
The GDPR provides six key data protection principles:
- Lawfulness, fairness and transparency: Data should be processed lawfully, fairly and in a transparent manner.
- Purpose limitation: Data should be obtained only for specified, explicit and legitimate purposes.
- Data minimisation: Data should be adequate, relevant and limited to what is necessary for the purposes for which it was obtained.
- Accuracy: Data should be accurate and, where necessary, kept up to date.
- Storage limitation: Data should not be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed.
- Integrity and confidentiality: Appropriate security measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
These principles are broadly similar to those in place under the old legislation. However, there are a few key changes. Most obviously, the removal of the principles relating got individuals’ rights and international transfer of personal data (which have not been removed from the legislation but simply moved elsewhere in the legislation and dealt with separately under distinct chapters of the GDPR).
There is also a new accountability principle, which heralds something of a step change in data protection compliance, as it requires organisations to take responsibility for complying with the principles, and to have appropriate processes and records in place to demonstrate that they comply.