Are you ready for the General Data Protection Regulation?

data 2

74 days to go…

74 days until the new General Data Protection Regulation comes into force, businesses around Europe are beginning to speculate what this will mean for them and evaluating how they will need to begin to mould and adapt to the new changes in the law. Knowing how your organisation will be affected and preparing in advance is essential.

The new law will come into force on the 25th May 2018. It was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the union approach data privacy.

The previous Data Protection Directive

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. The Data Protection Directive was originally formulated 20 years ago after the European Community felt the need to align data protection standards within member states in order to aid the facilitation of cross-border data transfers. The reason the European community needed such a Directive was due to there being varying levels of protection within each member state, failing to offer a form of legal certainty. The Directive was therefore adopted in 1995 to safeguard the protection of individuals with regard the processing of personal data and to facilitate the free movement of personal data.

Why did the law need to be changed?

The main issue with the original Directive was that it did not live up to its objectives of ensuring there was harmony between member states. The Data Protection Directive wasn’t capable of immediate transposition into domestic law due to its nature and therefore required implementation by each member state. This implementation requirement allowed for discrepancies between the states subsequent enacted laws, which was the main issue the directive set out to try and alleviate. Despite its attempts to bring about a sense of harmonisation by providing a guideline in which states could follow, major differences still arose.

The continuing legal uncertainties which emerged as a consequence of diverging domestic laws constituted an obstacle to the pursuit of economic activities at EU level. Suggesting that a change in the law was more than overdue. A directive differs from a regulation in that whilst directives set minimum standards to be followed by states, regulations exist as laws themselves without the need of enacting extra additional legislation.

data 1

What is the GDPR?

The new GDPR has been described as the ‘most significant data security in the world’ and ‘the latest step in the ongoing global recognition of the value and importance of personal information.’ It is DIRECTLY applicable to all member states. The GDPR extends the territorial scope of Europe’s data protection regime to organisations outside the EU that do not currently fall within the scope of the Data Protection Directive. This essentially means that it now includes organisations outside of the EU when the processing of personal data is related to the offering of goods or services within the Union. Article 3(2) provides for such extension.

Extensive debates on how to improve data protection meant the GDPR took 4 years to prepare before being finally approved by the EU Parliament on the 4th April 2016.

The GDPR essentially requires all data controllers and processors that handle the permanent information of EU residents to:
“Implement appropriate technical and organisational measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”

It is divided into two broad sections. The first section comprises the recitals which provide context and direction. The second section comprises the articles, setting out specific requirements which must be complied with.

Key changes

Currently, when you go on a website you may find that you are asked to opt out of any data processing (for example, receiving emails and phone calls). If you do not opt out, it may be assumed that you have read the privacy policy and consented to data processing, when in reality the privacy policy is rarely looked at. To tackle this problem, the General Data Protection Regulation will ensure that individuals and organisations actively gain consent from the user before they are able to use data for marketing purposes. Data processors must be able to provide evidence of the individual’s consent. This will benefit the user by a decrease in spam emails and a stop to those pesky PPI/accident at work phone calls. Many companies, such as Hotel Chocolat, are already starting to prepare  for the new regulation by contacting users to gain confirmation that they wish to carry on receiving emails for marketing purposes.

GDPR also gives individuals more power to access information that’s held about them. users to ask businesses or organisations to gain access to their personal data. Requests for personal information will be free-of-charge.

Individuals will have the ability to ask for their personal data to be wiped where there is no compelling reason for its continued processing. This is referred to as the ‘right to be forgotten’. The GDPR has extended the Data Protection Directive by calling for social media companies such as Facebook and Twitter to delete posts made by children (on request) regardless of age at the time of the request. This is because a child (person under 18 years old) may not have been fully aware of the consequences of the data processing at the time consent was given.

Other interesting points

How will it affect you?

Both major companies and small to medium enterprises will be affected by the new regulation. The new rules provide users with more control, taking the power away from businesses by preventing them from using data freely for their own benefit. Tighter regulation also means more potential for fines on the horizon. The GDPR requires organisations to know exactly what data they hold and where it is located, meaning a full information audit should be put in place in preparation for the 2018 deadline.

For any advice on how you and your business can prepare for the new rules, we recommend you visit the Information Commissioner’s Office guide to Preparing for the GDPR. 

Charlotte and Laura

This blog post was written by Laura Howarth and Charlotte Jones.

Laura is a final year MLaw student at Northumbria University. After graduation Laura would like to gain a work and study visa in Australia before returning to the UK to hopefully secure a training contract. Laura’s interests outside of law include travelling, cheerleading and human rights. 

Charlotte is a final year MLaw Student at Northumbria University currently working in one of the Business and Commercial firms in the Student Law Office. After graduation Charlotte wishes to pursue a career as an In-House Lawyer. Charlotte has a keen interest in travelling abroad and hopes to visit Thailand, Vietnam, Bali & Australia.