Did you register with the Information Commissioner's Office years ago as a holder of personal data? Have you done anything about it since? Or have you assumed there was nothing else to do?
On 25 May 2018, the General Data Protection Regulation (GDPR) will come into force. The new law will tighten up the compliance requirements for holders of personal data and increase the enforcement powers of the Information Commissioner.
Organisations must report breaches of the GDPR to the Information Commissioner;
Increased fines of up to 4% of annual turnover;
New accountability principle means organisations must have policies and procedures in place to show compliance;
Public authorities and some organisations must appoint a Data Protection Officer;
Other organisation should designate member of staff responsible for data protection;
Individuals and children have more rights;
Privacy impact assessments are mandatory in some circumstances;
Data processors have the same obligations as data controllers;
BREXIT is unlikely to affect the introduction of the GDPR, which comes into force before the United Kingdom leaves the European Union. In any event, the UK will need a regulatory regime similar to the GDPR in order to do business with the EU.
At present, the Data Protection Act 1998 protects the privacy of individuals. The Act's fundamental principles will be retained in the GDPR .
It is unlawful for any organisation to hold information or “personal data” about individuals, unless certain conditions are satisfied.
The definition of personal data is broad. Most, if not all, organisations hold this sort of data, no matter how small. Any organisation that employs staff holds their personal data.
Individuals have a right to obtain the information organisations hold about them. If the information is held unlawfully, they may complain to the Information Commissioner and bring proceedings in the courts. In some circumstances, they can claim compensation.
The Information Commissioner has enforcement powers which include significant fines.
Security is one of the principles that must be satisfied. This can be a reputational issue. Cyber-attacks are high profile and may be disabling. In the past, there have been debilitating breaches of security as a result of the simple failure of large organisations to download patch updates to their software. These have attracted significant fines from the Information Commissioner, and also from the Financial Conduct Authority.
Organisations which hold payment card details (such as train operating companies) and copy documents such as driving licenses (for example scrap metal dealers) must be particularly vigilant so as to avoid theft, including identity theft, from individuals.
There are implications for direct marketing campaigns. At present, the Privacy and Electronic Communications Regulations 2013 control and prevent businesses from “cold calling” individuals by email, mailshot, telephone, text or fax. They also govern the use of “cookies” on websites.
Individuals have recovered damages for harassment in response to repeated mailshots and other unsolicited approaches.
Data protection may have a bearing on claims against public authorities under the Human Rights Act 1998, for breach of the article 8 right to privacy, and on claims against organisations for breach of confidence, and in defamation cases.
The GDPR will apply to all organisations that hold personal data. On 21 September 2017, we will be holding a seminar close to the Barbican on data protection and related organisational and technical issues. Save the date.