Brexit may have shaken up many things but for the time being we are still subject to European Law, and for the digital world, this means major changes to the legal gathering and processing of personal data as of May 25 2018.
When the Data Protection Directive (implemented in the UK as the “Data Protection Act”) was created many digital experts railed against the regulations – while well intentioned, aspects were clearly outdated, and not widely drawn enough to cover changes in technology. Additionally, in European law, a directive is an instruction for a member state’s governing body to codify the ruling into their own laws – which meant that it was implemented individually by member states, leading to differences in law.
A very visible reminder of this regulation is the “cookie bar” that we’re now used to seeing on pretty much all websites that have an audience inside the EU.(See information on this on the ICO website).
To fix many of the issues, new regulations were revealed in draft form in January 2012 as the “European Data Protection Regulation”, which would enhance and clarify the previous directive, making them fit for a more digitally connected world.
The change in language from “Directive” to “Regulation” is very important here – a regulation is directly applicable to all EU member states without the need for member state implementation, removing the possibility of different law being implemented in different states. The aim is therefore to harmonise data protection laws across all EU member states.
Now called the “GDPR” (General Data Protection Regulation), the regulation entered into force on 25 May, with implementation in member states due to start in 2018.
So where does that leave the UK, especially after the Brexit vote?
Any process for Brexit – even if fast-tracked – will take at least 2 years; the UK will therefore still be part of the EU in May 2018, so businesses need to comply with the GDPR. In addition, any country wishing to trade within the EU will be required to implement either the GDPR, or matching legislation.
So, what does this mean?
If you are collecting any “personal data”, you need to abide by the new regulations; If you have a website that includes any kind of subscription or signup service, it applies. If you keep un-anonymised usage logs, it applies. Even keeping a manually updated list of contacts in Excel means that you need to abide by the regulations.
If you’re not sure what your position is, you may currently not be compliant with the DPA (Data Protection Act). This is something you should check, and ensure you solve as quickly as possible – incoming sanctions under the GDPR are harsh and audits are likely to be more frequent.
What do I need to do?
For detailed information, see the ICO overview of the GDPR. But, in brief:
- There is now a core accountability principle. Rather than just implementing regulations blindly, you are now required to show how you comply with the principles by documenting the decisions you take about a processing or recording activity.
- Unlike under the DPA, if you are a “data processor” (i.e. you process your own data, or on behalf of others) you are required to maintain records of personal data and processing activities. You also have significantly more legal liability if you are responsible for a breach.
- If you simply provide a user interface and do not process data, you still need to ensure your contracts with third parties comply with the GDPR.
- “Data processing” now explicitly includes business functions such as sending out email communications, marketing mailouts, SMS messages
- Consent to allow data processing needs to be more explicit and the following will no longer be acceptable:
- Silence (not giving details about processing)
- Inactivity (not giving people an option to opt-in)
- Pre-ticked boxes
- Large scale processing requires additional compliance, in the form of a Privacy Impact Assessment (PIA).
- Data involving children is specifically enhanced and any legal or privacy notice must now be written clearly enough that a child can understand and require the consent of a parent/guardian.
- Individual rights are enhanced, with the right to be informed about how their data is used, correct their data, access it, request that it be removed completely, restrict how it is used, and collate it and take it away from your service.
- Organisations that routinely monitor data on a large scale or process sensitive data on a large scale must hire a Data Protection Officer (this may be an external advisor).
Put simply – to be ironic – this is not a small or simple topic. If you need help navigating the complexity of these new regulations, get in touch and we’ll try to help.