The way organisations handle personal information will need to go through some significant changes in the coming years to accommodate the biggest change to the data protection regulatory framework since the early nineties. On Data Protection Day (Thursday 26 January), it’s a good time to give some thought about what you should do to prepare.
The European authorities have been thrashing out a new set of rules for the last four years which will update the well-known UK Data Protection Act 1998. The Data Protection Regulation will overhaul the existing regime to bring the law up to date, taking into account the digital economy.
The new rules still need rubber stamped, which is expected around Easter, but we have a good idea of what rules need to be planned for when handling personal data like customer records or personnel files. The most significant changes include:
1) Greater Fines
Penalties for non-compliance are going up significantly from the top fine of £500,000 up to the greater of 20 million euros or 4% of annual worldwide turnover. This is one way to get the attention of colleagues who think the regime isn’t relevant.
2) More Fines
The Regulation appears to expect monetary penalties to be issued for breaches of the regime which we would not have seen before such as mishandling subject access requests.
3) Data Breach Notification
The Regulation will require organisations to notify their local regulator within 72 hours where there is a breach likely to result in a high risk to the rights and freedoms of individuals. Those affected will also need to be notified. At the moment there is no formal requirement to notify breaches, but it is encouraged.
4) No More Registrations
The requirement to notify the regulator annually that you process personal data has gone. Instead, an organisation must maintain internal documentation on what they do with personal data. Record keeping will be critical and “privacy impact assessments” will be required where processing data is high risk.
5) Requirement for a Data Protection Officer
The Regulation requires some organisations to appoint a Data Protection Officer. Those organisations are (a) public authorities; (b) organisations which monitor people on a large scale; and (c) organisations which use sensitive personal data. This area will inevitably involve some negotiation further consideration over the next two years to determine what organisations will be affected. However given the greater responsibilities in the Regulation, it is likely that we would be recommending an officer is in place as a matter of course.
6)One Stop Shop Rule
If you operate an organisation with activities in multiple European Member States, you will only need to be accountable to the regulator in the territory of your main establishment. However local authorities will still have some scope to investigate local cases.
If you rely on consent of an individual to use their personal data, this will need to be reviewed because the Regulation now expects consent to be “freely given, specific, informed, and unambiguous” with regards to their wishes. If you handle sensitive information like medical records, “explicit” consent is needed which is unchanged from the existing regime.
8) Right to be Forgotten
The Regulation formally recognises the right for an individual to ask for their data to be erased by an organisation without undue delay where: (a) the data is no longer necessary for the purposes collected; (b) the individual withdraws their consent; or (c) they object to the processing.
The rules will not come into force for another two years so there is some time to get to grips with the changes. We would be recommending that 2016 is spent embedding privacy practices into your organisation through training and including privacy issues as an agenda item in management meetings before using the time in 2017 to update policies and procedures once the practical effects of the changes are more understood.
Ross McKenzie is a qualified data protection practitioner at Scottish law firm, Burness Paull.