UK data controllers are already grappling with the biggest change to EU protection in 20 years.
According to the new prime minister, ‘Brexit means Brexit’. But what does it mean for UK data controllers who are planning for implementation of the new General Data Protection Regulation (GDPR)?
GDPR received formal adoption by the European Parliament in April 2016 and was published on 4 May in the Official Journal. This means it will be directly applicable throughout EU member states without the need for implementing legislation from 25 May 2018. In the UK it will (subject to what I say below) replace the Data Protection Act 1998 (DPA). Some of the key changes include:
Enhanced data subjects’ rights: GDPR introduces a ‘Right To Be Forgotten’ which means that, subject to some exceptions, data subjects will be able to request that their personal data is erased by the data controller and no longer processed.
Security breaches: GDPR requires that, as soon as the data controller becomes aware that a personal data breach has occurred, it should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Information Commissioner’s Office (ICO), unless the controller is able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals.
Consent: Like the DPA, GDPR will require data controllers to have a legitimate reason for processing personal data. If they rely on the consent of the data subject, they must be able to demonstrate that it was freely given, specific, informed and unambiguous for each purpose for which the data is being processed. Silence, pre-ticked boxes or inactivity will no longer constitute consent.
Data protection officer: Most organisations handling personal data, both data controllers and data processors, will require a data protection officer who will have a key role in ensuring compliance with the regulation. (A more detailed summary of GDPR is here)
The UK may have voted to leave the EU but formal ‘divorce proceedings’ cannot begin until it notifies the EU of its intention to invoke Article 50 of the Lisbon Treaty. This gives negotiators two years from the date of notification to conclude new arrangements. The newly appointed secretary of state for exiting the European Union, David Davis (pictured), has said Article 50 should be ‘triggered before or by the beginning of next year’. Therefore, the UK could leave the EU by December 2018 at the earliest. Consequently, there would be at least six months where UK data controllers would have to abide by all the provisions of GDPR. In reality, exiting the EU could take much longer than two years.
In the unlikely event that Brexit negotiations are concluded before May 2018, the DPA is still living on borrowed time. Immediately after the Brexit vote the ICO released a statement saying: ‘If the UK wants to trade with the single market on equal terms we would have to prove “adequacy” – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.’
There are a number of options available to the UK in terms of exiting the EU and yet still retaining membership of the lucrative EU single market. Each of these options makes it likely that either the GDPR or a very close cousin will be required in the UK after Brexit takes effect.
The Norway/European Free Trade Association Model: Under this model, the UK would remain a party to the European Economic Area Agreement. This would allow it to benefit from free trade arrangements, but in return the EU would require commitment to certain fundamental EU rules and restrictions, including the new EU data protection regime. Norway, Iceland and Liechtenstein have had to do this by implementing the current EU Data Protection Directive. Consequently, the UK Brexit negotiators will find it difficult to avoid accepting the GDPR if this option is adopted.
The Swiss model: Switzerland accesses the EU single market via a regularly updated bilateral agreement. Its data protection laws mirror the EU Data Protection Directive and so have been recognised as ‘adequate’ by the European Commission for the purpose of compliance with the eight data protection principles under the DPA. This enables transfers of personal data from EU-based data controllers to Swiss-based companies. To continue access to the single market, Switzerland will need to bring its current data protection laws to reflect the requirements of GDPR. Failure to do so could see its ‘adequacy’ decision revoked. The UK would face the same decision if it decided to adopt the Swiss model.
The US model: Like the US and Canada, the UK may decide to strike trade deals with the EU independently or via collective organisations, such as the World Trade Organization. This would mean that, on the face of it, it could choose to update (ignoring the requirements of the GDPR) or even keep the DPA as currently drafted. This would be extremely risky for the UK economy, which relies heavily on companies’ ability (especially in the financial services sector) freely to receive personal data from EU counterparts.
Regardless of what data protection path the UK chooses, UK companies with European customers and operations have to continue with their GDPR preparations. This is because GDPR will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies will be directly responsible for GDPR compliance wherever they are based (and not just their EU-based offices) as long as they are processing EU citizens’ personal data.
Recently, on the ICO’s blog, the message was reiterated that GDPR is still relevant and preparation must continue: ‘We’ve been working hard on producing a set of guidance on GDPR, with an overview of the law being the first substantive part of that. We still think it will be useful to publish this overview. This is because, once implemented in the EU, the GDPR will be relevant for many organisations in the UK – most obviously those operating internationally. The other main reason is that the GDPR has several new features – for example breach notification and data portability.
Therefore, we thought it would still be useful to familiarise information rights professionals with the GDPR’s main principles and concepts.’
UK data controllers have two years to prepare for the biggest change to the EU data protection regime in 20 years. With some breaches of GDPR carrying fines of up to 4% of global annual turnover or €20m, a ‘wait and see’ approach would be very risky.
Ibrahim Hasan is a solicitor and director of Act Now Training