European Union’s (“EU”) regulations on the protection of natural persons with regard to the processing of personal data and free movement of such data (“GDPR”) came into effect from May 25, 2018. These new General Data Protection Regulations 2018 have replaced previous data protection rules across Europe that were almost two decades old. It was created to make businesses and other organisations protect the personal data and privacy of EU citizens for transactions that occur within EU member states.
It has been designed to harmonise’ data privacy laws across all of its member’s countries as well as providing greater protection and rights to individuals. However, it has extra-territorial application and applies to the processing of personal data of EU residents even by entities situated outside the EU. There’s the potential for large fines and reputational damage for those found in breach of the rules.
It sets a new standard for consumer rights regarding their data, but entities will be challenged as they put systems and processes in place to maintain compliance.
Data Protection Act, 2018 summary
With UK’s exit from the EU on January 31, 2020, the transition period under the terms of the UK-EU withdrawal agreement ended on December 31, 2020 (“Transition Period”). The trade and co-operation agreement between the UK and EU, implemented by the EU (Future Relationship) Act 2020, addresses the arrangements following the end of the Brexit Transition Period.
The UK data protection regime is regulated by the Data Protection Act (2018) (“DP Act”), which superseded the previous 1998 Data Protection Act and tailored to become the ‘UK GDPR.’ In other words, very similar GDPR principles, rights and obligations to those found in EU GDPR have been retained.
Since the end of the Brexit transition period on December 31, 2020, the EU GDPR no longer applies to the processing of UK residents’ personal data. However, it is worth noting that post Brexit firms operating in the UK with only UK consumers, the UK GDPR is applicable. In the event, UK based firms have EU consumers, then the EU GDPR would be applicable along with the UKGDPR since entities who are acting as either a ‘controller’ (i.e. the person who determines the purposes and means of the processing of data) or a ‘processor’ (i.e. the person who processes the personal data on behalf of the controller), of personal data of persons of EU, in relation to the offering of goods or services to such persons or monitoring their behaviour in so far as it takes place within EU, become subject to EU GDPR.
The DP Act refers to the domestic implementation of the EU GDPR. It adapts the UK GDPR to the domestic legal system, giving definitions, rules for public bodies, setting enforcement procedures and powers, and so on.
In nutshell, the UK GDPR is the retained EU law version of the GDPR and is supplemented by the DP Act. However, there are key differences between the DP Act and the EU GDPR which are set out below:
|Child consent age
|A child can consent to data processing at age 16.
|A child can consent at age 13.
|Definition of personal data
|Personal data can include IP addresses, Internet cookies and DNA
|More limited definition.
|Processing of criminal data
|Processors of criminal data must have official authority to do so.
|Processors of criminal data do not require official authority.
|Automated decision making/processing
|Data subjects have rights to refuse automated decision making or profiling.||Permits automated profiling subject to legitimate grounds for doing so.
|Data subject rights
|Protects data subjects to personal data processing.||Data subject rights can be waived if they significantly inhibit an organisation’s legitimate need to process data for scientific, historical, statistical, and archiving purposes.
|Privacy vs Freedom of Expression
|An exemption exists in relation to the processing of personal data if it is in the public interest.
|Many non- EU data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the EU must appoint a representative in the EU.
|Many non-UK data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the UK must appoint a representative in the UK.
|The maximum fine for non-compliance is €20 million or 4% of annual global turnover.
|The maximum fine for non-compliance is £17.5 million.
There are two important exceptions with respect to the applicability of the GDPR. First, the GDPR does not apply to ‘purely personal or household activity.’ So, if you have collected email addresses to organize a picnic with friends from work, rest assured you will not have to encrypt their contact info to comply with the GDPR (though you might want to anyway!). The GDPR only applies to organizations engaged in “professional or commercial activity.” So, if you’re collecting email addresses from friends to fundraise a side business project, then the GDPR may apply to you.
The second exception is for organizations with fewer than 250 employees. Small- and medium-sized enterprises (SMEs) are not exempt from the GDPR, but the GDPR does free them from record-keeping obligations in most cases (see Article 30.5).
For companies that have more than 250 employees, there’s a need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place. GDPR’s Article 30 lays out that most organisations need to keep records of their data processing, how data is shared and stored.
The ‘destruction, loss, alteration, unauthorised disclosure of, or access to’ people’s data must be reported to a country’s data protection regulator where it could have a detrimental impact on those who it is about. This can include but isn’t limited to, financial loss, confidentiality breaches, damage to reputation and more.
In the UK, the ICO has to be informed of a data breach within 72 hours after an organisation finds out about it. An organisation also needs to tell the people the breach impacts.
GDPR can be considered as the world’s strongest set of data protection rules, which enhance how people can access information about them and place limits on what organisations can do with personal data.
Lawful bases for processing data:
The lawful bases for processing are set out in the UK GDPR. At least one of these must apply whenever you process personal data:
The individual has given clear consent for you to process their personal data for a specific purpose.
The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering a contract.
3. Legal obligation
The processing is necessary for you to comply with the law (not including contractual obligations).
4. Vital interests
The processing is necessary to protect someone’s life.
5. Public task
The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6. Legitimate interests
The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
The DP Act is substantially similar to the EU GDPR. There are seven (07) GDPR principles for the lawful processing of personal data. Processing includes the collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data. Everyone responsible for using personal data must follow strict rules called GDPR principles.
Broadly, the seven GDPR principles to be followed for accountability and protection are as follows:
1. Lawfulness, Fairness and Transparency
Processing must be lawful, fair, and transparent to the data subject.
2. Purpose Limitation
Data must be collected only for the legitimate purposes specified explicitly to the data subject when you collected it.
3. Data Minimization
Only as much data as necessary for the purposes specified must be collected and processed. It must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Personal data must be accurate and up to date. Inaccurate data must be erased or promptly rectified.
5. Storage Limitation
Only store personally identifying data for as long as necessary for the specified purpose. Personal data may be stored for a longer period if it is processed solely for archiving purposes in the public interest with necessary data protection measures in place.
6. Integrity and Confidentiality
Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g., by using encryption).
The data controller is responsible for being able to demonstrate GDPR compliance with all these principles.
Other requirements of GDPR
The GDPR allows individuals to seek compensation for “non-material” damages, such as distress or anxiety, where this results from an infringement of an organization’s legal obligations under the GDPR. It significantly strengthened several rights: individuals found themselves with more power to demand companies reveal or delete the personal data they hold; regulators were able to work in concert across the EU for the first time, rather than having to launch separate actions in each jurisdiction; and their enforcement actions had real teeth, with higher maximum fines for breaches.
A breach of the GDPR in some circumstances can lead to a maximum fine of £17.5 million (about Euro 20m) or 4% of an undertaking’s worldwide annual turnover, whichever is higher. Data protection authorities can also issue sanctions, such as bans on data processing or public reprimands. It is advisable to take out data protection/ cyber liability insurance to cover the organisation from such breaches.
Breaches have occurred in the past too but since this piece of legislation is recent and compliance mandatory, the cases must be mandatorily reported and hence the knowledge of the breaches. Data protection violations are almost a breach of the rights and freedom of persons. Organisations are ensuring that they are in full conformity with the law but at times a breach occurs due to third-party providers handling the organisation’s data and may be outside the organisation’s control. Due to the storm that the media creates, things are blown out of proportion sometimes and organisations are defaced.
The UK GDPR is heavily derived from the EU GDPR and generally, the terms and core concepts used in the UK GDPR have the same meaning as they do in the EU GDPR, although there are several key detailed differences between the two regimes which are set out above. When the UK formally withdrew from the EU, GDPR became retained EU law and continued to apply as before. GDPR introduced several important principles that previously underpinned data protection law, such as the ‘accountability principle’ and ‘privacy by design’ which encourage organisations to take more responsibility for the data they protect.
In a highly regulated and complex environment, organisations on which GDPR is applicable need to be focussed on the data they have, manage, and protect it appropriately without breaching the trust of their customers, users and employees.