The general data protection regulation – what to do in 2017
After years of discussions and negotiations, the new General Data Protection Regulation (GDPR) entered into force on 25 May 2016, and will be directly applicable in all EU Member States from 25 May 2018, following a two year transition period. The GDPR will replace the current Data Protection Directive 95/46/EC (Directive), as implemented into UK law by the Data Protection Act 1998 (DPA).
Businesses should use 2017 as an opportunity to prepare themselves for the pending applicability of the GDPR.
1 Extra-Territorial Applicability
The territorial applicability of the Directive has been subject to a number of high profile court cases due to its ambiguity. The GDPR’s applicability, however, is very clear; it will apply to the processing of personal data by data controllers and data processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to the offering of goods or services to EU citizens, or monitoring of behaviour that takes place in the EU.
2 Joint and Several Liability
Not only does the GDPR place direct obligations on processors, but processors may be jointly and severally liable with the relevant data controller for claims for compensation by data subjects. For controllers and processors, negotiating how liability will be apportioned between parties will therefore be extremely important.
3 Breach Notification
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. “Data processors will also be required to notify the relevant data controller “without undue delay” after first becoming aware of a data beach”.
4 Data Protection Officer (DPO)
A DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
5 Data Transfers
Whilst the fundamental principle regarding transfers of personal data outside of the EEA remains unchanged, the GDPR does provide for an increased number of safeguarding data transfer mechanisms, including approved codes of conduct and certifications, as well as a seemingly simplified procedure for Binding Corporate Rules which will be accepted in all Member States.
6 Notifications / Record Keeping
Notifications to local Data Protection Authorities (DPAs) of data processing activities will be abolished under the GDPR, but there will be internal record keeping requirements. Controllers and processors will be required to maintain a record of their data processing activities, which must be available upon request to the relevant DPA. This requirement will not, however, apply to SMEs with fewer than 250 employees, unless the processing they carry out is high risk or they process sensitive or criminal data.
7 Privacy By Design and Default
The GDPR recognises that privacy must be intertwined with the design and use of information systems, and cannot simply be enforced by prescriptive rules. Controllers will therefore need to take privacy and security into account at the very inception of a product or service, rather than as an afterthought.
8 Agreements With Data Processors
The GDPR streamlines the “mandatory clauses” required in an agreement between a controller and a processor, which will now be the same in all Member States. They are, however, much more extensive than what the majority of current local laws require.
9 The “one-stop-shop”
Different DPAs have different attitudes and priorities; under the Directive this can be a particular challenge for multinationals where processing operations span more than one Member State and it is necessary to consult with, notify, and be answerable to, multiple DPAs. Under the GDPR, where processing takes place in more than one Member State, the DPA of the controller’s or processor’s “main establishment” will act as the “lead supervisory authority” in relation to that processing.
10 Sanctions For Non-Compliance
Fines under the GDPR will be streamlined with all Member States having the power to impose significant fines on non-compliant controllers and processors. The level of fines will be tiered:
- for breaches regarding general obligations, such as record keeping, data processor relationships, data protection impact assessments or DPOs, the relevant DPA may impose fines of up to the greater of EUR 10 million or 2% of the total worldwide annual turnover of the preceding financial year.
- for breaches regarding the fundamental data protection principles (including conditions for consent), data subjects’ rights and international data transfers, the relevant DPA may impose fines of up to the greater of EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year.
2020: Influencer, 2021: Creative Director – what could go wrong?
Coded messages for landlords and tenants
“What does the code of practice mean for landlords and tenants? Read more here”
Jason Saiban writes for Food Manufacture on the food industry's climate change challenge
The key challenge will be how the environmental targets are actually met.
Grab the tail by the horns - Why is tail spend so critical in today’s outsourced portfolio?
It’s usually invisible, but in all likelihood, you’ve got tail spend.
Mark Hill writes for In-House Community Magazine on solutions templating, a new priority for in-house legal teams
Removing the burden from legal teams, contract managers and administrators.
Olivia Crane quoted by SoGlos on the increasing issue of cyber fraud being faced by businesses in Gloucestershire
Cyber fraud has cost Gloucestershire businesses around £369,800 in the last 13 months.
Tattoos, athletes and image rights
Campaigns featuring athletes often include visible tattoos and a number of recent legal cases demonstrate the issues that may arise.
Food Sector steps up on climate goals
Blue Sky Linking
Daniel looks at Sky's recent success in obtaining interim protection from infringement of their broadcast rights
Don’t Gamble on Bingo Ads, Warns ASA
The ASA has issued a reminder to advertisers that bingo adverts will be treated as gambling ads for the purpose of standards regulation.
Recording Phone Calls: Don’t take Consent for Granted
What if an interviewee who is being called and interviewed “live” does not actually know he/she is on live television?
Continuing Progress in the Sphere of Inclusive and Non-Discriminatory Advertising
The latest developments from the ASA, CAP and BCAP relating to the advertising regulators’ attempts to tackle discrimination in advertising.
eCommerce and the Post-Brexit State of Play
Key UK and EU legislation governing how online platforms deal with consumers and their business users.
UK and EU launch two-pronged attack into whether Facebook is abusing a dominant market position
The CMA and the European Commission have said that they intend to work together closely as their respective investigations develop.
Jason Saiban and Caroline Swain among contributors to the ICLG Guide on Digital Business Laws and Regulations in the UK
An overview of the laws and regulations for digital businesses operating in the UK.
Draft Online Safety Bill: Regulating the online world
On 12 May 2021, the UK government published the draft Online Safety Bill...
Counterfeit goods – online platforms and luxury brands take a new collaborative approach
Online retail has been increasing for the best part of a decade due to a shift in consumer behaviour.
Charles Russell Speechlys proud to sponsor the ‘Outstanding Achievement’ award at the final Sunday Times Virgin Fast Track 100 awards
The awards celebrated the successes of Britain’s 100 private companies with the fastest-growing sales.
New foreign ownership rules take effect on 1 June 2021
Trade Marks - what is bad faith?
In any legal dispute, the term ‘bad faith’ is often banded about.