updated on 22 May 2018
As of 25 May 2018, the EU General Data Protection Regulation (GDPR) will come in to force. The GDPR is a watershed moment, requiring organisations (referred to as "data controllers" under the GDPR) to take stock and think about how they process personal data at an organisational level. For many data controllers, this has meant significant investment into internal restructuring and efforts to achieve compliance, in the process propelling data protection from a somewhat niche area of private practice into the mainstream.
The current seminal piece of data protection legislation in the UK is the Data Protection Act 1998 (itself a transposition of an EU Directive). While the Data Protection Act went some way in protecting the rights of individuals, given the era in which it was drafted (ie, before social media and the take-off of the Internet), it is now unquestionably outdated.
Recital 6 of the GDPR sums up the need for change: "Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities."
The GDPR, which is six years in the making, forces data controllers to be on the whole more transparent about their processing activities, including setting out, among other things:
One of the biggest changes is that the GDPR applies extraterritorially where an organisation is processing the personal data of an EU citizen or where they are offering goods and/or services in the European Union. In practice this means that a company based solely in the US, for example, who is processing the personal data of an EU citizen will have to comply with the GDPR.
The GDPR increases the rights of individuals in respect of their personal data and streamlines the ways in which those rights can be exercised. One of the more high-profile rights (which stemmed from a European Court of Justice ruling against Google in 2014) is the right of erasure or 'right to be forgotten' which allows individuals, in certain circumstances, to request that their personal data be erased by a data controller.
The conditions for consent have also been tightened up, requiring consent to be "freely given, specific, informed, and unambiguous". In practice this casts a shadow of doubt as to whether employers, being in a superior bargaining position, can ever rely on consent in relation to their employees. For other data controllers, it requires them to rethink how they go about getting the consent of their customers for, among other things, marketing purposes.
In recognition of the extra burden that the GDPR imposes, some data controllers have an additional requirement to appoint a data protection officer (DPO). The DPO is there to ensure employees are properly trained in respect of their obligations under GDPR, to monitor the data controller's compliance with GDPR, to provide advice when the data controller is thinking about implementing a high-risk processing activity, and to act as a point of reference to the supervisory authority, which in the UK is the Information Commissioner's Office.
The headline reason why businesses are investing in GDPR compliance is the increase in potential fines. For data controllers, a breach of GDPR can result in a fine of up to €20 million or 4% of global group turnover, whichever is the larger. By way of example, the maximum fine under the new regime could see Facebook fined up to $1.6billion (based on 4% of global annual turnover in 2017). For context, the maximum fine that could be issued under the Data Protection Act 1998 was £500,000.
Perhaps the more punitive consequence of non-compliance is the reputational damage that data controllers may face, leading to a loss of trust and confidence among users, consumers and investors. Since the alleged widespread mining and misuse of Facebook users' personal data carried out by London based data analytics firm Cambridge Analytica, Facebook has lost somewhere between €30-60 billion in market value.
Such high-profile misdemeanours in the face of the upcoming GDPR, and in a time where people are waking up to the reality of just how much personal data they share and who it is shared with, are sure to create issues down the line, not just for big tech but for all data controllers.
The expansive changes brought in by GDPR and the fact that it is something that data controllers cannot ignore makes it a hot topic. Accordingly, it's one to brush up on when it comes to showing commercial awareness in both your applications and at assessment centres. No doubt the first big headline will arrive if and when the Information Commissioner's Office uses its new, sharper teeth, in fining a data controller for a high-profile breach of the GDPR.
To find out more, see what Shoosmiths is doing to help clients manage the introduction of GDPR.
Sam Henegan is a trainee solicitor at Shoosmiths. He is based at the firm’s Nottingham office. This article was first published on the Shoosmiths website.
This article is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.