The GDPR comes into force within the EU in May 2018. It will replace the existing data protection regime in force under the Data Protection Act 1998. This note briefly explains some of the implications of the GDPR for UK businesses.
GDPR – key changes
The key concepts and definitions of the DPA will remain largely unaffected by the GDPR. The Information Commissioner’s Office summarises the changes that: ‘If you are complying properly with the current law, then you have a strong starting point to build from. But there are important new elements, and some things will need to be done differently.’
Stricter and more prescriptive rules regarding processing and retention – the GDPR will leave less to the discretion of the data controller (e.g. more specific rules on record keeping to be provided to data subjects). Employers will need to be careful that they meet these requirements.
Increased enforcement powers - the current UK maximum fine is £500,000. Under the GDPR the maximum fine is the greater of 4% of annual worldwide turnover in the preceding financial year or €20 million.
A risk based approach - certain administrative and record-keeping requirements will not apply to SMEs (fewer than 250 employees) unless they are in a “high risk” area for data protection purposes.
A higher bar for ‘consent’ - under the DPA the data subject’s consent to processing is one of six general grounds that will render processing lawful. Under the UK regime, implied consent through behaviour may presently suffice.
- The GDPR will require that consent is given by “unambiguous affirmative action”. Implied consent may not suffice.
- The GDPR provides that consent must not be relied upon by a data controller where there is a clear imbalance of power between the parties – employers may not be able to rely on a clause of the employment contract for consent.
- The GDPR provides that data subjects must be able to withdraw their consent as easily as it is given.
Mandatory ‘privacy by design’ in data processing services - data processing services (e.g. HR IT databases) must be designed with ‘privacy by design’ principles in mind. Due diligence enquiries in corporate transactions may address the extent to which IT software complies with these principles.
Direct obligations on data processors - data processors will be subject to their own obligations (e.g. record keeping) and potential enforcement proceedings. Processors who act otherwise than on the specific instructions of the controller will become “joint controllers” of the data and subject to a controller’s obligations. It is likely to increase the costs of data processing contracts. Data processors will seek to strictly delineate responsibilities when negotiating contracts – likely to lead to more protracted negotiations.