Posted by Tara Taubman-Bassirian on October 17, 2016.
This morning GDPR on the news, shared by Rachel Oconnell :
Firms Are in Denial About Tough New EU Privacy Law: The world’s toughest privacy law will go into force in Europe 18 months from now, and so far, the strategy of many IT professionals appears to be “pretend it’s not happening.” That’s the takeaway from a survey published today by Dell that suggests most firms are unprepared for the EU’s General Data Protection Regulations.
What is required?
– mandatory reporting for data breaches, in most cases breaches will have to be reported within 72 hours,
– heavier sanctions, with significant new fines: Maximum fines of €20 million or 4% of annual global turnover per breach (a dramatic increase from the current typical maximum of less than €1 million).
– extra-territorial jurisdiction : businesses outside the EU will be subject to the GDPR, if they are offering goods or services to, or monitoring the behaviour of, EU residents (currently they are only caught if they operate data processing equipment in the EU). See further on this below.
– the one-stop-shop, expect UK to become a center of forum shopping,
– independent Data Protection Officer mandatory for businesses that regularly monitor individuals, or regularly process sensitive personal data,
– revised consent, to be express/opt-in (a ‘clear affirmative action’) whereas, under the existing regime, implied/opt-out consent is sometimes sufficient.
– No more registration for data controllers. Instead, they are required to maintain internal records of their processing activities (for disclosure on demand to Data Protection Authorities),
– Processor liability: data processors (i.e. businesses processing personal data solely for and on the instructions of data controllers) will have direct regulatory obligations/liability.
– data protection impact assessments featuring as key aspects. If the results of the assessment indicate a high risk, obtain a prior review by the relevant Data Protection Authority.
The Dell survey reported by the Fortune’s magazine, ‘which polled 821 IT professionals across the globe, 80% said they knew little or nothing about the GDPR, while 97% said their companies didn’t have a plan in place to implement the new law.‘
The deadline for the GDPR implementation is May 2018. This is less than two years to get ready, appoint your Data Protection Officer and re-architecture your data manipulation, set up a data breach protocol.
Maybe you think UK is leaving the EU, you feel relieved and no more need to comply? Think twice. Elizabeth Denham, has made it clear that not only is the GDPR likely to apply before the UK leaves the EU but also that the data protection standards the GDPR requires will continue to guide the ICO even after Brexit. On 3 October 2016 she said: “I don’t think Brexit should mean Brexit when it comes to standards of data protection.”
Many have pointed how the New EU General Data Protection Regulation Affects Multinational Companies despite BREXIT. If you have missed the new Canadian UK Information Commissioner Elizabeth Denham’s speech, here it is reported by the BBC. “I don’t think Brexit should mean Brexit when it comes to standards of data protection,” she said. “In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.”
The EU General Data Protection Regulation coming into force in May 2018, will strengthen the harmonization of data protection law in the EU on a high level. UK will not be an EU institutional partner anymore, that doesn’t mean UK will not be an EU business partner. They are uncertainties on how UK will negotiate BREXIT and how the UK would then generally apply as a third country, with a potentially unsafe level of data protection. This has been the case for the US initially protected by the Safe Harbor mechanism, invalidated following a judgment by the European Court of Justice in October 2015, replaced by the new Privacy Shield approved by the European Commission in July 2016. What does it mean for your buisiness? Well simply that UK businesses that operate cross-border data flow will have to comply with the GDPR if processing personal data of citizens based in the EU countries regardless of what legislation applies in the UK. Data transfers to the UK will be subject to strict requirements. if they are conducting reasonably substantial business involving the processing of personal data of individuals located in the rest of the EU.
This explains Elizabeth Denham saying :
“We believe that future data protection legislation, post Brexit, should be developed on an evolutionary basis, to provide a degree of stability and clear regulatory messages for data controllers and the public. The aim here is not a data protection regime that appeals because it is overly lax or ‘flexible’. The aim is a progressive regulatory regime that stands up to scrutiny, that doesn’t leave the UK open to having rocks thrown at it by other regimes. And that has consistency and adequacy with the Europe,”
She assured that the watchdog intends to issue guidance on GDPR compliance to businesses, ‘helping you to get ready for the new law – and we will continue to provide advice and guidance around GDPR, whether you’re a business with 400 customers or 40 million.”
Baroness Neville-Rolfe, UK minister responsible for data protection in July 2016, admitted:
“We do not know how closely the UK will be involved with the EU system in future,” Neville-Rolfe said at the time. “On one hand if the UK remains within the single market EU rules on data might continue to apply fully in the UK. On other scenarios we will need to replace all EU rules with national ones. Currently it seems unlikely we will know the answer to these questions before the withdrawal negotiations get under way.”
, advises that of Pinsent Masons taking effect if they have not already done so. Position shared with most Data Protection specialist. See also Kirsten Whitfield, Gowling WLG , ‘Brexit will not stop the General Data Protection Regulation (“GDPR”) becoming the new reality for the UK in 2018. As confirmed by the Information Commissioner’s Office last week, to trade with the European Union (trade inevitably involving cross-border personal data use, sharing, transfers and so on), we will want to be considered a country with ‘adequate’ levels of data protection. How do we attain this? By having equivalent data protection laws. In which case, we will still need to comply with GDPR standards.’
Heuking Kühn Lüer Wojtek brings the German perspective:
‘Ultimately, the deciding factor will be what level of data protection the UK arranges, and what agreements are made when withdrawing from the EU. If the UK maintains data protection laws as per the EU model, it is conceivable that the European Commission will grant the UK the status of a third country with an appropriate level of data protection, similar to the case with other European non-EU member states. If this is delayed until after a Brexit takes effect, it may create a dangerous data protection gap for companies.’
‘Brexit will have fundamental implications for the UK data protection regime. Until Brexit takes place, there will be a period during which its precise form and implications for UK data protection laws are not clear. This interim period comes at a time when data controllers are already anticipating the significant changes that will be made by the General Data Protection Regulation (“GDPR”) from 25 May 2018.’
Finally, an interesting position from a UK buisiness owner reported by Jessica Davies in Digiday UK :
‘Biggest danger is apathy’: John Lewis data privacy boss on EU data protection laws. Brexit may have created a lot of uncertainties for businesses, but one thing is clear: British businesses will likely have to comply with the same data protection laws as Europe if they want to continue trading as a single market. And that means marketers need to start getting a handle on how to prepare for the General Data Protection Regulations, which will roll out in 601 days.’
This advice is the soundest advice we can give to buisinesses.
Eduardo Ustaran, of Hogan Lovells, expose here why GDPR is good for businesses.
As always, you can continue to read updates on the position of the UK / BREXIT / GDPR here.
Gaining customers trust, making privacy and data protection an asset could be the future of Big Data. Collecting data with express consent, not storing longer than necessary – data minimisation – keeping data accurate and adequate, processed lawfully, fairly and in a transparent manner, with purpose limitation, storage limitation or data minimization, processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures, are all major improvements, according to the 8 principals, incorporated into Chapter 2, Article 5 (1) (a)-(f).
You have all you need to know about the GDPR in general here.
Do contact me if you need more information on data Protection or if you wished a presentation on the subject.Submitted in: Expert Views, News_legal, News_privacy, Tara Taubman-Barissian |