Are You Going to be Ready for the New Regulation on Data Protection?
There are big changes afoot for data protection law and privacy in electronic communications like emails. It is very advisable to start preparing for them now, as (a) they will require immediate compliance when they come into force on 25 May 2018; (b) the requirements are more onerous and likely to require system changes to be put in place and tested ready for May 2018; and (c) the fines for non-compliance are going to be up to 4% of global annual turnover.
The new General Data Protection Regulation (the ‘GDPR’) will, for example, introduce a requirement for companies to report data protection breaches within 72 hours, and if they are ‘high risk’ report them to the data subjects. This will require good incident detection and response systems and policies, and companies should be testing their capabilities now.
It will also introduce a higher standard for ‘consent’ to the processing: a statement of consent or a clear affirmative action (e.g. ticking a box or choosing a setting) is required and it must be freely given and specific to the uses stated, and must be able to be withdrawn at any time. Just because someone has put information about themselves on social media, for example, without restricting its use does not mean anyone can use it: they would need specific informed consent.
If an organisation has a legitimate interest in processing the data, it may circumvent the need to obtain consent, but it must still tell the data subjects of what it is doing, and why, and it would be advisable to give the subjects an opt-out. Relying on the legitimate interests condition requires companies to constantly monitor whether their processing goes beyond what is necessary, or fair, and under the GDPR they will need to specify and explain their legitimate interests in their privacy notices.
Privacy notices, generally, will need to be revisited, as they will need to tell subjects, for example, about their right to have their data erased.
Data processors (i.e. those who process personal data but do not control the purposes and means of the processing) will have new duties, and exposure to fines. For example, they will have to keep records of their processing, implement security standards, comply with rules on international transfers, and get a contract in place with their data controller and with all sub-processors. Some data processors (those whose core activities consist of processing on a large scale, or processing special categories of data such as racial origin, health data etc.) will have to appoint a Data Protection Officer.
Record-keeping replaces the requirement to register as a data controller or processor.
The ICO recommends businesses carry out a Privacy Impact Assessment before specific projects, such as new IT systems, or use of data in a new way, are implemented. Businesses must consider how they are going to minimise the data they hold, e.g. by making it anonymous.
Data subjects’ rights are increased. For example, they will have the right to access their information without paying a fee, a right to have their data transferred from one business to another, a right to be forgotten, a right to restrict processing, and a right to object to automated decision-making.
There is also likely to be an ‘ePrivacy Regulation’, specifically on the privacy of electronic communications, e.g. on cookies, the privacy of emails (when sent, to whom, what was said in them, etc..) and the use of email content and metadata (e.g. location data) to carry out direct marketing. It is likely that content and metadata will not be able to be used without consent and you will have to remind users every six months that they can withdraw their consent. The new rules will protect business recipients as well as consumer recipients. Anyone involved in online sales should be watching this space.