James Castro-Edwards and Jonathan Wright will discuss the topics covered below in our upcoming webinar EU General Data Protection Regulation on Tuesday, April 18th 2017 at 4.30pm (UK Time). If you would like to register to join the webinar, click here.
Data Protection TalkTalk Fine: A Taste of Things to Come?
In October 2016, telecoms provider TalkTalk was fined £400,000 by the UK Information Commissioner’s Office (ICO) for failing to protect customers’ personal data, breaching the Data Protection Act 1998 (DPA). This is the largest fine issued by the ICO, yet Information Commissioner Elizabeth Denham has publicly stated that the £500,000 maximum fine for breaches of the DPA is insufficient. EU driven law reform means that from May 2018, organisations face potential fines of up to 4% of their previous year’s worldwide annual turnover or €20,000,000, whichever is the greater. For example, under the incoming rules, TalkTalk could have been fined £71,800,000. Businesses which hold large volumes of information about individuals, for example, operators in the pensions sector, are particularly at risk.
Imminent Reform: The EU General Data Protection Regulation (GDPR)
The GDPR was adopted on May 25th, 2016 and its provisions will take effect from May 25th, 2018. It introduces significant changes for organisations in the public, private and third sectors, and heavy penalties for non-compliance. Its huge fines were a deliberate measure by the European Commission to escalate data protection to a corporate board level concern.
The GDPR applies directly to all 28 EU Member States. It applies to all organisations who do business with EU citizens, whether or not the organisation is based in the EU.
The two year ‘sunrise period’ expiring in May 2018 was meant to allow organisations time to comply with the new law. For the UK, uncertainty around Brexit has meant that many organisations did not believe that the GDPR, as a European regulation, would take effect in the UK. However, both the British Government and the ICO have indicated that the GDPR will become law in the UK.
For US connected groups, the law in this area is also further complicated by the continuing uncertainty over the future of the US Privacy Shield.
GDPR: the changes
The GDPR is significantly more prescriptive than current data protection law, and introduces a number of new obligations. In particular:
- organisations must not only comply with its provisions, but be able to demonstrate to the local regulator that they do so, by way of policies, training and management structures;
- certain types of organisation must appoint a data protection officer (DPO), but those not compelled to should consider voluntary appointment in order to ensure the many new requirements of the GDPR are met;
- data breaches must be notified to the local regulator within 72 hours, and promptly to affected individuals, failure to report could trigger enforcement action from the regulator;
- data subjects’ rights are extended significantly (for example the ‘right to be forgotten’ and to data portability), which will present an information management challenge; and
- data protection impact assessments must be carried out before commencing any new activity involving personal data, for example implementing new software.
With only 14 months to prepare for the GDPR, organisations operating anywhere in the EU that have not already done so should start the process immediately to identify the information they hold (for example, employees, ex-employees and pension scheme members), who they share it with (for example, their group companies, supply chain, clients and regulators) and how they ensure their use of such information complies with the new rules.
The GDPR is a game changing piece of legislation and any organisation that handles large volumes of information about individuals, particularly where it is sensitive in nature (for example, relating to individuals’ health or financial circumstances), will find themselves conducting a heavily regulated activity. Organisations must act now, to avoid the risk of regulatory action and reputational damage.