The UK will soon implement updates to EU data protection rules - the first big change since the EU issued a Data Protection directive in 1995. Significantly for UK businesses, the UK Government intends to preserve broad equivalence between its data protection regime and the updated European rules, as the country leaves the EU in March 2019.
The General Data Protection Regulation (GDPR) is intended to introduce a comprehensive and harmonised data protection regime in the EU, although national governments have a degree of flexibility as they enact domestic laws and implement the EU regulations.
In the UK, the GDPR will be implemented through a new Data Protection Act, which is set to replace the existing 1998 legislation of the same name. A draft Data Protection Bill was published in September and the legislation is now making its way through Parliament.
The draft legislation is a significant milestone for data protection law in the UK, which has the option of deviating from the GDPR after it exits the EU. However, the Bill contains the main elements of the GDPR (which will have direct application in the UK from 25 May 2018), including higher penalties and mandatory notification requirements in the event of a data breach.
The draft legislation does deviate from the GDPR in a number of areas, such as continuing to allow processing of personal data by the media and researchers. It also proposes that other organisations are exempt from some rules, including insurers, for the purposes of pricing risk.
The Bill, which could yet change as it winds its way through the legislative process, also marks a number of updates to the existing law.
For example, the Bill proposes several new data protection criminal offences, including knowingly or recklessly obtaining or disclosing personal data without consent, procuring or retaining personal data obtained without consent.
The Bill would also result in enhanced rights for individuals in the UK, including the right to be forgotten, data portability and controls with regard to consent. It would also broaden the scope of compensation for victims of a data breach.
Currently, individuals can claim damages for financial loss and distress, but under the proposed data protection laws, an individual would have the right to claim compensation for “other adverse effects” suffered from a data breach.
According to the UK Information Commissioner’s Office (ICO), the body that will be responsible for policing the GDPR in the UK, the Bill will increase the focus on “transparency, control and accountability”.
The new law will, for example, require companies to inform people about how they intend to use their personal data, and significantly, it will make companies more accountable to consumers and regulators for their use of personally identifiable data, the ICO says.
Organisations will need to be able to show reporting structures, risk assessments, mitigation measures and lines of responsibility within the business. Records need to be “up-to-date, accurate and comprehensive,” and they will need to be made available for the regulator if an incident occurs, the ICO says.
One of the biggest changes introduced by the GDPR will be the greater powers afforded to the regulator and the potential for far greater fines for data breaches in the future.
The GDPR sets out new powers for regulators that allow them to conduct data protection audits of organisations. Under these powers, the ICO will be able to serve assessment notices on companies as well as gain the right to enter business premises.
The GDPR will also enable the ICO to apply fines of up to 4% of the annual global turnover of companies, or EUR 20 million, whichever is highest. Under the new Data Protection Bill, the government will be able to set out how ‘turnover’ is to be determined for the purposes of fines.
Despite plenty of media attention, many companies appear to be struggling to comply with changing data protection laws, while a significant proportion of UK firms are unaware of the GDPR.
Just 6% of FTSE 350 companies surveyed by the UK government’s Cyber Governance Health Check said they were completely prepared for the GDPR. The report also found that the boards of FTSE 350 companies are only occasionally giving consideration to GDPR in their meetings – only 13% said that GDPR was regularly considered by their board.
A survey by law firm Blake Morgan found that 40% of UK organisations had not taken steps to prepare for the new regulations, while more than one-third were not confident they would be able to comply with the GDPR by May next year.
Its research also revealed that around 10% of firms had updated their privacy policies to comply with the new law, while only one-quarter had put in place systems to ensure data security breaches were notified in line with GDPR.
A separate survey from financial services group Aldermore found that almost half (46%) of all small and medium sized business owners have not even heard of the GDPR. The Blake Morgan research also found that just over one-fifth of businesses surveyed were not aware of GDPR.
The GDPR is due to be implemented before the UK is expected to leave the EU in 2019, although signs are that the country will continue to maintain data protection rules in line with the EU even after that date.
In its data protection partnership position paper published in August, the UK government proposed arrangements that are aimed at ensuring the flow of personal data between the UK and the EU continues unhindered. The future data relationship between the UK and EU would be based on aligned data protection rules, suggesting some form of regulatory equivalence will be sought.
The paper noted that the UK Data Protection Bill would already see the UK aligned with EU data protection laws at the point of exit. After it leaves, UK businesses and public authorities may still be required to meet GDPR standards for processing European Economic Area (EEA) personal data.
Elizabeth Denham, Information Commissioner, has repeatedly called for the UK to maintain data protection laws in line with the EU after Brexit. In a speech to the Confederation of British Industry (CBI) in September, Denham said that UK data protection law “needs to be as close to Europe as possible”, proposing that the UK should seek a legal arrangement post Brexit that provides for uninterrupted data flows.
Regulators and government organisations see the GDPR as an opportunity for organisations to bolster cyber security. For example, the National Cyber Security Strategy says that the GDPR should be used to drive up cyber security standards.
In her address to the CBI, Denham said that the new Data Protection Act, including the GDPR, is a massive opportunity for cyber security.
She noted that 61% of businesses in a 2017 survey said they now hold customer data online. Yet, the ICO’s own research shows that 80% of consumers do not trust companies that store their personal information.
“The breach reporting requirements and penalties under the new law represent a significant call to action which businesses can use to improve resilience around cyber security,” she told a CBI conference.
European Countries move ahead with GDPR
In addition to the UK, several other major EU markets have taken steps to implement the GDPR in their countries.
In July, Germany became one of the first EU countries to update its data protection laws and incorporate the GDPR. The law clarifies how the GDPR will be applied in Germany, as well as introducing a new criminal offence for the transfer or release of personal data for commercial purposes.
Austria also published its draft Data Privacy Act in May 2017, passing the law in July. As with the UK, provisions were made to exempt the police and media from some requirements, although the country has not deviated to any significant degree from the GDPR.
The GDPR is likely to represent a fundamental shift of data protection compliance in France. The GDPR will see a shift away from the current process of registrations and filings with the French data protection authority in favour of a regime based on transparency and accountability.
Ahead of the new GDPR, insurers and brokers agree that data breach and non-compliance are very serious concerns and with the right policy in place the financial impact can be mitigated so that businesses are not crippled, or worse, forced to close up shop. Policies available are customisable and include significant assistance with and management of any incident that may arise, which can be essential when faced with reputational damage or regulatory enforcement. Our team at JLT has a range of endorsements to cover you against the risk exposures presented by the GDPR and have worked with a range of industry clients to help prepare them for the new regulation.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org