General Data Protection Regulation Q&A
7th April 2017
Data Protection / GDPR Q&A
Alex Egerton answers questions on the upcoming General Data Protection Regulations
1 What is data protection law?
Data protection law mandates organisations to whom we give our personal information to honour that trust.
The first legislation (1984 Data Protection Act) became law in 1985. The legislation’s provisions reflect a time when the Filofax was the equivalent of the now ubiquitous smartphone. The 1998 Data Protection Act became law in 2000 and it updated the 1984 Data Protection Act so the legislation could meet the changes brought by the evolving digital age. The new GDPR will reconcile those protections with the challenges of the latest technology quantum leap which has brought us the “internet of things” and “big data”.
2 What is the GDPR?
The General Data Protection Regulations, which will become law across the EU on 25 May 2018. The 1998 Act will disappear.
3 Headline changes
The existing principles of data protection will be replaced with different principles and individuals will be given more rights. Businesses will have to show that they have fully considered what data they are processing; why and how. This duty to account replaces the current need to register each year.
4 What will be the impact of Brexit?
Any organisation based outside the EU will be subject to the GDPR if they either:
- offer goods or services to data subjects in the EU irrespective of whether payment is received
- monitor data subjects' behaviour which takes place within the EU
This means that many non-EU businesses that were not required to comply with the Data Protection Directive will be required to comply with the GDPR - even Silicon Valley.
I cannot see UK data protection law deviating from the EU’s. If this was the case then businesses would have to adhere to two parallel regimes.
5 Should we be worried?
Steve Wood, Head of Policy Delivery at the Information Commissioner's Office (ICO), in his blog post "A data dozen to prepare for reform" of 14 March 2016, explained that:
"Many of the principles in the new legislation are much the same as those in the current Data Protection Act. If you are complying properly with the current law, then you have a strong starting point to build from. But there are important new elements, and some things will need to be done differently."
Every organisation that processes personal data needs to start reviewing its activities. There are three questions that come May 2018 that each organisation must be able to answer:
1 If the ICO asked to see the paper trail which sets out how data is processed and which systems and policies ensured that the processing met the principles of the GDPR, could you immediately release that?
2 If you received a subject access request (SAR), could you deal with that in a month? The ICO regard the SARs as the “canary in the coalmine”. They will assume that organisations that cannot deal with SARs are not GDPR compliant and will investigate.
3 All breaches have to be disclosed to the ICO in 72 hours. Would you be aware of a breach – let alone have all the information necessary to disclose in that tight timeframe?
+44 (0)20 7725 8030