In today’s digitalised world we are confronted with a deluge of data. Driven by the proliferation of connected digital technology, organisations of all shapes and sizes now find themselves in possession of more customer information than ever before – and with this explosion of data, comes greater responsibility.
In many businesses more emphasis is being placed on data management and strategy than ever before. Regulation needs to keep pace with this data revolution. With the mountain of data growing inexorably by the minute, the European Union recognised that current directives were insufficient to manage how data is governed.
In response they drafted a new regulation, which will be formally released in May 2016, known as the General Data Protection Regulation (GDPR).
A recent survey of businesses revealed that eight out of ten marketers are aware to some degree that data protection laws are changing, with nearly half (46.3%) ‘very aware’, while one third are ‘somewhat aware’.
However, this awareness has not yet translated into a high level of readiness – with only 6.5% of businesses saying that they are ‘very prepared’ for the changes ahead. Given the potentially long lead times required for changes to an organisation processes, it is important that these new rules are understood and businesses know what’s changing and when.
How is personal data regulation changing?
Currently, in the UK, businesses operate under the Data Protection Act 1998 (which implemented the EU Data Protection Directive 95/46/EC), a framework that was established at a time when people had less of an online presence, before the loyalty card was prevalent in the retail industry and when people were often still managing their data in a very manual way.
As we turned digital, there was a radical shift in the volume, variety and the speed data was being produced. Discussions have been on-going in the EU for many years about the implementation of a new data protection regime to address these changes to our use of data.
Towards the end of 2015 the European Parliament and the Council gave informal political approval of the General Data Protection Regulation ('GDPR') and formally adopted it in April 2016. The GDPR was published in the Official Journal on the 4th May 2016, and it is due to enter into force on the 24th May 2016.
Once law, there will be a two year implementation period before the GDPR comes into effect, and businesses will need to comply with its provisions from 25th May 2018.
The GDPR focuses heavily on protecting individuals and their data. This has also been intentionally agreed as a regulation (as opposed to another directive) which means it will be a single piece of legislation directly applicable across all EU Member States. The GDPR includes a number of new and increased obligations businesses will need to adhere to, including the elements described below:
Key elements in the new EU GDPR:
Rights of Individuals
There has been a desire to strengthen data subject rights within the GDPR. To this end, there are a number of new (e.g. the Right to Erasure (“Right to be Forgotten”) or enhanced (e.g. Right to Information) data subject rights that will be included in the GDPR.
Two, the Right to be Forgotten, and information to be provided where personal data is collected from the data subject, are explained in a little more detail below.
Information to be provided on collection
Businesses need to make sure individuals understand who the controller is that is collecting their personal data and the purposes for which they are processing it. Organisations’ privacy policies will need to be updated in line with the requirements of the GDPR.
The new principle of accountability in the GDPR means there will be much more of an onus on controller businesses to demonstrate compliance with the data protection principles within the GDPR. .
Right to Erasure ('Right to be Forgotten')
Since the decision of the European Court of Justice in Google Spain it has been accepted that individuals have a right to request internet search engines to remove, from the list of results displayed following a search made on the basis of a person’s name, links to web pages that are published by third parties and containing information relating to that person, where such processing of personal data is incompatible with Directive 95/46/EC.
A Right to Erasure ('right to be forgotten') has now been set out clearly in the GDPR which will allow individuals a qualified right to request that their data be erased, provided certain grounds apply (for example, the data is no longer necessary in relation to the purposes for which it was collected). Where relevant, businesses will have an obligation to erase the relevant personal data it holds concerning that individual without undue delay.
Data Protection Officer (DPO)
In certain circumstances, businesses are required to appoint a DPO to enable those businesses to comply with its accountability obligations under the GDPR. This is a designated role with tasks set out in the GDPR, including responsibility for monitoring compliance with the GDPR.
Obligations on data processors
Under the Data Protection Act 1998 the statutory obligations are on data controllers only. However under the GDPR, data processors will also have obligations, for example, the processor will have a responsibility for implementing appropriate technical and organisational measures for the security of personal data during its processing activities.
Data Protection Impact Assessment
Businesses will need to carry out a data protection impact assessment where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals.
Data breach notification- the current Data Protection Act contains no obligation to notify the ICO or individuals concerned in the event of a personal data breach, although ICO guidance supports where it would be good practice to do so.
The GDPR includes a requirement for controllers to report a personal data breach to its data protection supervisory authority (the ICO in the UK) without undue delay and where feasible, no later than 72 hours after being aware of the breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.
Where the personal data breach is likely to result in a high risk to individuals’ rights and freedoms, the controller will also need to communicate the breach to the individual without undue delay.
What is the impact of the new EU GDPR if businesses get it wrong?
Under the Data Protection Act 1998, the power of the UK Information Commissioner to impose a monetary penalty is capped to a maximum of £500K. However, the potential amount that a data protection supervisory authority may impose in an administrative fine under the GDPR will be increased significantly, in a stepped fining regime, with a maximum fine of up to €20m or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher, for specified infringements.
Individuals will also have the right under the GDPR to bring a claim for damage suffered as a result of an infringement of the GDPR. With the new rules entering into force on the 24th May 2016, businesses then have two years to prepare for the changes.
They will need to understand each new regulation and make sure their data management strategy adheres to these new guidelines.
It is imperative that businesses start to think about their implementation requirements now, so as not to risk falling behind. It’s all about building relationships and trust – remembering the people behind the devices and doing your utmost to treat them as you would wish to be treated yourself.
Sourced from Paul Cresswell, Head of data strategy, marketing services, Experian