Give yourself an advantage on placements and interviews by learning more about the introduction of GDPR. Sam, a trainee in Shoosmiths' Nottingham office, summarises what you need to know, and why it's so important for good business.
As of 25 May 2018 the EU General Data Protection Regulation ("GDPR") will come in to force. The GDPR is a watershed moment, requiring organisations (referred to as "data controllers" under the GDPR) to take stock and think about how they process personal data at an organisational level. For many data controllers, this has meant significant investment into internal restructuring and efforts to compliance, in the process propelling data protection from a somewhat niche area of private practice in to the mainstream.
Why the need for change?
The current seminal piece of data protection legislation in the UK is the Data Protection Act 1998 (itself a transposition of an EU Directive). Whilst the Data Protection Act went some way in protecting the rights of individuals, given the era in which it was drafted (i.e. before social media and before the take-off of the internet), it is now unquestionably outdated. Recital 6 of the GDPR sums up the need for change:
"Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities."
What are the key changes?
The GDPR, which is 6 years in the making, forces data controllers to be on the whole more transparent about their processing activities, including setting out, amongst other things:
- the purposes for which they process personal data;
- how personal data is used;
- who it is transferred to;
- how long it is retained; and
- what security measures there are in place to keep personal data safe.
One of the biggest changes is that the GDPR applies extraterritorially where an organisation is processing the personal data of an EU citizen or where they are offering goods / services in the EU. In practice this means that a company based solely in the US, for example, who is processing the personal data of an EU citizen will be caught by the GDPR.
The GDPR increases the rights of individuals in respect of their personal data and streamlines the ways in which those rights can be exercised. One of the more high profile rights (which stemmed from an ECJ ruling against Google in 2014) is the right of erasure or 'right to be forgotten' which allows individuals, in certain circumstances, to request that their personal data be erased by a data controller.
The conditions for consent have also been tightened up requiring consent to be "...freely given, specific, informed, and unambiguous..." In practice this casts a shadow of doubt as to whether employers, being in a superior bargaining position, can ever rely on consent in relation to their employees. For other data controllers, it requires them to rethink how they go about getting the consent of their customers for, amongst other things, marketing purposes.
In recognition of the extra burden that the GDPR imposes, some data controllers have an additional requirement to appoint a Data Protection Officer ("DPO"). The DPO is there to ensure employees are properly trained in respect of their obligations under GDPR, to monitor the data controller's compliance with GDPR, to provide advice when the data controller is thinking about implementing a high-risk processing activity, and to act as a point of reference to the supervisory authority, which in the UK is the Information Commissioner's Office.
Why is GDPR compliance so important to businesses?
The headline reason why businesses are investing in GDPR compliance is the increase in potential fines. For data controllers, a breach of the GDPR can result in a fine of up to #20m or 4% of global group turnover, whichever is the larger. By way of example, the maximum fine under the new regime could see Facebook fined up to $1.6bn (based on 4% of global annual turnover in 2017). For context, the maximum fine that could be issued under the Data Protection Act 1998 was £500,000.
Perhaps the more punitive consequence of non-compliance is the reputational damage data controllers may face, leading to a loss of trust and confidence by users, consumers and investors. Since the alleged widespread mining and misuse of Facebook users' personal data carried out by London based data analytics firm Cambridge Analytica, Facebook has lost somewhere between 30bn and 60bn (EUR) in market value.
Such high profile misdemeanours in the face of the upcoming GDPR, and in a time where people are waking up to the reality of just how much personal data they share and who it is shared with, are sure to create issues down the line not just for big tech but for all data controllers.
Commercial awareness point
The expansive changes brought in by GDPR and the fact that it is something data controllers cannot ignore makes it a hot topic. Accordingly, it's one to brush up on when it comes to showing commercial awareness in both your applications and at assessment centre. No doubt the first headline will be if and when the Information Commissioner's Office uses their new, sharper teeth, in fining a high profile breach of the GDPR.
To find out more about what Shoosmiths is doing to help clients manage the introduction of GDPR, click here.