34: Regardless of Brexit, ICO advises employers to begin preparing for new data protection legislation
The General Data Protection Regulation (GDPR), which will replace the current EU Data Protection Directive, has been formally approved by the European Parliament and will take effect in May 2018.
The GDPR contains significant measures to replace national legislation with a harmonised EU data protection regime. Although exiting the EU will mean that the GDPR will not apply directly to the UK, any trade agreement with the EU is likely to require proof of adequate data protection measures. This means that reform of the UK’s data protection legislation in line with the new EU legislation is still a necessity. The Information Commissioner’s Office is therefore advising all businesses to start preparing now to ensure they can comply with the detailed provisions of the GDPR.
The GDPR includes the following changes to data protection rules:
- a single legal framework will apply across the EU;
- compliance will require greater focus on transparency and the legal basis for processing;
- individuals will have enhanced rights of access to their personal data; the right to have their personal data deleted when the data controller has no legitimate grounds for retaining it; and a right of data portability;
- there must be clear affirmative action by an individual to show consent for processing, and it must be as easy to withdraw consent as to give it. Using standard clauses in employment contracts, as many employers do now, is unlikely to be sufficient;
- data controllers must appoint a data protection officer in certain specified circumstances, such as where an organisation’s activities involve systematic monitoring or large-scale processing of sensitive data;
- the current £10 fee for subject access requests will be abolished. However, a reasonable fee may be charged or the request refused if it is ‘manifestly unfounded or excessive’;
- where there is a data security breach involving a risk to the rights and freedoms of individuals, data controllers must notify the national data protection authority without undue delay and, unless there is reasoned justification, no later than 72 hours after becoming aware of it;
- multi-national companies will be able to deal with a single national data protection authority as their lead authority;
- instead of submitting an annual registration, detailed records must be kept showing data protection compliance; and
- maximum fines will be increased. National data protection authorities will be able to impose fines on a two tier basis: up to 2% of annual worldwide turnover or €10 million (whichever is the greater) for violations relating to internal record-keeping, data processor contracts, and data protection officers; and up to 4% of annual worldwide turnover or €20 million (whichever is the greater) for breaches of the data protection principles, conditions for consent, data subject rights and international data transfers. Currently, the maximum penalty in the UK is £500,000.