New Data Protection Rules
Despite Brexit, an overhaul of Data Protection Rules is to be implemented and these will apply from May 2018. This will affect organisations of all sizes and small businesses could risk substantial fines if the new rules are ignored.
The new rules are designed to hand control of personal data to individuals rather than organisations.
The news rules define personal data as any information relating to a natural person which will include personal details, family and lifestyle details, education, medical details, employment details, financial details and contractual details. Under the directive, special rules will apply to the processing of personal data that reveal racial or ethnic origin, political opinions, religious and philosophical beliefs, Trade Union membership or health issues.
The issue of consent which validates usual personal data is also a significant development. Organisations need to ensure that they are explicit when seeking consent and detail how they will use the information. An individual’s silence or inactivity will generally no longer be considered as consent. Businesses must be much clearer on how customer data is collected and stored. They have to make it easier for customers to tell organisations to ‘forget’ them and must provide greater protection for children. Any data breaches must be communicated within three days to the Information Commissioner’s Office, the Data Regulator.
Organisations need to start acting now to ensure that they are compliant. In particular, they need to consider:
- whether Data Protection Officers should be appointed;
- whether they should protect privacy by design;
- whether they have adequate systems in place to manage data breaches that may arise and to comply with the notification requirements;
- whether they are able to ensure compliance with the more restrictive principles of not holding data longer than absolutely necessary and not changing how such data is used from the original purpose specified; and
- whether they comply with the rights to be forgotten if the data subject requests this.
The penalties for not complying with the new Rules will increase substantially and so action must be taken by businesses in the near future. Depending on the level of the breach, fines can be up to £20m or 4% of total annual global turnover based on the preceding financial year, whichever is the greater. Data controller and processors need clarity on what data they hold and how the personal data is used.
Businesses need to check that contractual provisions are in place with their clients and service providers to ensure compliance and adequate indemnities exist.