Over many years, my guess is that we have all come across cases when organisations have refused to tell us something or to disclose a particular document. When challenged, a common answer has been that it is not permitted because of “data protection”. I have found that on most occasions the disclosure is permitted by law, with data protection controls a convenient excuse for refusal.
The current UK legislation dealing with the management of data and personal information is the Data Protection Act 1998, subject to amendments made over the years since then, it is a technical provision including material which requires careful analysis. Businesses, lawyers and data handlers have though become reasonably familiar with the Act and the practical implementation of the controls.
The current Data Protection Act will be replaced on 25 May 2018 by a new EU measure, generally known as GDPR. Brexit will not impact upon the changes, with GDPR becoming effective, the “General Data Protection Regulation”. It is identified as the most significant shakeup in data privacy and data security in the last 20 years.
The consequences of breach of the new rules can be substantial fines, reflecting the importance of protection of personal information. We live in a world of electronic communications and more than ever we conduct our lives through electronic means. We are encouraged to shop online, book hotels online and more, in effect we volunteer much personal information and data to faceless third parties and organisations, with substantial reliance upon trust. This is particularly the case when dealing with matters such as online banking. It is identified by the EU as a data driven world.
The new Regulation is intended to give greater control to the individual over how data is used, with a focus on data security. As solicitors we will be subject to greater control, with systems needing to be designed to give our clients even more confidence in the work done to protect their confidential information. The previous data protection rules remain valid, but they are strengthened with the following points requiring consideration:-
- Increased territorial scope, to require compliance for work undertaken outside of the EU if the data of subjects in the EU is processed.
- Maximum penalties for breach, including fines of up to 4% of global turnover or 20 million euros (whichever is the greater).
- Individual consent, to be expressed in clear terms.
- Rights to be notified of a breach promptly.
- Right to access to data.
- Right to be forgotten, including erasure of data and other information.
- Data portability (note recent publicity regarding transfer of financial information, e.g. between banks).
- “Privacy by design”, stressing the importance of data management in all work systems.
- Data protection officers, enhancing the status of officers within organisations and the skills required to ensure compliance. Not all organisations will need an appointed dedicated officer, but they do need employees in place who understand the rules and are responsible for ensuring compliance.
Late May 2018 will be upon us in a short time. All organisations processing and controlling data need to be working now to be ready to apply the new rules and to avoid potentially expensive breaches. There are many challenges, but also some clear rules and principles. As time passes, all of our data related activities will increase, and for us as individuals GDPR should give us additional comfort that our personal information is being kept secure and is only being used for the reasons we consent to in advance.