Big Data Changes: EU General Data Protection Regulation
UK data protection law will change on 25 May 2018, when the EU General Data Protection Regulation takes effect, replacing the Data Protection Act 1998.
A summary of the changes is provided below. References to the “data controller” mean the person(s) who determines the purpose of the data and the manner in which it is processed. The “data processor” is any person processing the data on behalf of the data controller and the “data subjects” are anyone in respect of whom data is held:
- There is greater accountability to demonstrate compliance with the rules. This includes a requirement to implement technical and risk-based systems and appropriate safeguards
- There is a requirement to appoint a Data Protection Officer (DPO) for monitoring data subjects on a large scale
- There are direct obligations on the data processor to maintain written records of processing activities and notify the data controller of any personal data breaches without undue delay
- A higher standard of consent is required from the data subjects. Consents must be informed, freely given and capable of being withdrawn. Requests for consent must be clear.
- The data subjects must be provided with transparent and comprehensive information including their rights and the period for which data will be stored
- Data controllers must notify data breaches to the EU Data Protection Authorities (DPAs) where there is a high risk to the rights of the data subjects. Where possible, this needs to be done within 72 hours of awareness. Data subjects will also sometimes require notification
- The requirement to notify or seek approval from the DPA on data processing activities is removed as the data controller is more accountable for its own activities (although the DPA should still be consulted in advance on high risk matters)
- Data subjects have the right to request information about data being processed about them and the right to correct data
- In certain circumstances, data subjects also have the right to request that organisations delete their personal data, right to object to personal data being processed and right to obtain a copy of their data in a commonly used and machine-readable format
- DPAs can impose significantly higher fines for breaches
- The new laws will apply to organisations located outside the EU which target consumers within the EU
The above is only a summary so if you would like more information or would like to discuss how the changes will affect your business, please contact our commercial team at Foskett Marr Gadsby & Head LLP who are based in Epping and Loughton on 01992 578 642. Further details on https://www.foskettmarr.co.uk/index.php/our-team/business-solicitor-essex/.