The General Data Protection Regulations (GDPR)- Key Changes to Data Protection Law

Wednesday, January 17th, 2018

Data protection law in the UK is currently governed by the Data Protection Act 1998 (DPA) however, the DPA will be superseded by the GDPR on 25th May 2018.

Concerning the GDPR, the Information Commissioner’s Office (ICO) has already stated that “many of the principles in the [GDPR] are much the same as those under the [DPA]”. Therefore, if your business is currently complying with the DPA then you are already going some way to complying with the GDPR. However, there are still some key changes being brought about by the introduction of the GDPR.

Key Changes

Wider Territorial Scope– Organisations outside of the EU that process personal data of EU residents will have to comply with the GDPR. This applies even if the non-EU organisation does not have an office in the EU. Therefore, the GDPR is likely to have a big impact on US companies supplying to EU residents.

Enforcement– The GDPR will significantly increase the powers of member states’ supervisory authorities (the UK’s supervisory authority is the ICO). Under the DPA, the current maximum fine for a breach is £500,000 (although the largest fine ever given is currently £400,000). The GDPR will increase the maximum fine to €20,000,000 or 4% of a company’s global annual turnover (whichever is greater).

With this significant increase in the ICO’s powers, companies who may have seen non-compliance with the DPA as fairly low-risk will certainly have to re-think their attitude towards data protection compliance.

Consent– The bar for obtaining valid consent from data subjects has been raised significantly under GDPR. Consent should be requested in a separate document rather than as part of existing terms and conditions and the request for consent must be in plain language rather than legalese. The consent must be as easy to withdraw as it was to give and data subjects have the right to withdraw their consent at any time.

Parental Consent- Parental consent will be required to process data of anyone under 16 years old (each member state may elect to lower the age limit to as low as 13 years old).

Data Protection Officers (DPO)- The following data controllers or processors will be required to appoint a DPO:

  1. Public Authorities;
  2. Data controllers or processors where the core activities involve regular and systematic monitoring of data subjects on a large scale; and
  3. Data controllers or processors whose core activities consist of processing sensitive personal data on a large scale.

DPO’s must have expert knowledge of data protection law. This service can be outsourced to an external service provider.

Data Breach Notification- Data controllers will now be obliged to notify both the ICO and the data subject if there has been a breach of any of the data protection principles. Notification should take place within 72 hours of discovery of the breach. A failure to notify could lead to an increased penalty against the data controller.

EU Harmonisation- The DPA was adopted to implement the EU’s Data Protection Directive 1995 (1995 Directive). Each EU member state interpreted and therefore implemented the 1995 Directive slightly differently leading to slight differences in data protection law in each member state. The GDPR will be adopted by each member state without the need for adoptive legislation in each state, meaning data protection legislation will be consistent across all EU member states (although there will be flexibility on some issues- for example, as stated above, each member state will be able to set the age at which parental consent will be required).

Data Processors Now Caught- Only data controllers were subject to obligations under the DPA whereas the GDPR introduces direct obligations on data processors. If data processors breach these obligations they can be subject to the same level of fines as data controllers (see “Enforcement” above).

Alex O’Leary – Company and Commercial Solicitor

Hanne & Co