Blog: Privacy changes must be on the agenda in 2016
Ross McKenzie warns that the way organisations handle personal information will need to go through some significant changes in the coming years to accommodate the biggest change to the data protection regulatory framework since the early nineties.
The European authorities have been thrashing out a new set of rules for the last 4 years which will update the well-known UK Data Protection Act 1998. The Data Protection Regulation will overhaul the existing regime to bring the law up to date, taking into account the digital economy.
The new rules still need rubber stamped, which is expected around Easter, but we have a good idea of what rules need to be planned for when handling personal data like customer records or personnel files. The most significant changes include:
Greater Fines – Penalties for non-compliance are going up significantly from the top fine of £500,000 up to the greater of 20 million euros or 4% of annual worldwide turnover. This is one way to get the attention of colleagues who think the regime isn’t relevant.
More Fines – The Regulation appears to expect monetary penalties to be issued for breaches of the regime which we would not have seen before such as mishandling subject access requests.
Data Breach Notification – The Regulation will require organisations to notify their local regulator within 72 hours where there is a breach likely to result in a high risk to the rights and freedoms of individuals. Those affected will also need to be notified. At the moment there is no formal requirement to notify breaches, but it is encouraged.
No More Registrations – The requirement to notify the regulator annually that you process personal data has gone. Instead, an organisation must maintain internal documentation on what they do with personal data. Record keeping will be critical and “privacy impact assessments” will be required where processing data is high risk.
Requirement for a Data Protection Officer – The Regulation requires some organisations to appoint a Data Protection Officer. Those organisations are (a) public authorities; (b) organisations which monitor people on a large scale; and (c) organisations which use sensitive personal data. This area will inevitably involve some further consideration over the next two years to determine what organisations will be affected. However given the greater responsibilities in the Regulation, it is likely that we would be recommending an officer is in place as a matter of course.
One Stop Shop Rule – If you operate an organisation with activities in multiple European Member States, you will only need to be accountable to the regulator in the territory of your main establishment. However local authorities will still have some scope to investigate local cases.
Consent – If you rely on consent of an individual to use their personal data, this will need to be reviewed because the Regulation now expects consent to be “freely given, specific, informed, and unambiguous” with regards to their wishes. If you handle sensitive information like medical records, “explicit” consent is needed which is unchanged from the existing regime.
Right to be Forgotten – The Regulation formally recognises the right for an individual to ask for their data to be erased by an organisation without undue delay where: (a) the data is no longer necessary for the purposes collected; (b) the individual withdraws their consent; or (c) they object to the processing.
The rules will not come into force for another two years so there is some time to get to grips with the changes. We would be recommending that 2016 is spent embedding privacy practices into your organisation through training and including privacy issues as an agenda item in management meetings before using the time in 2017 to update policies and procedures once the practical effects of the changes are more understood.
David Morgan, Partner, Burness Paull has contributed to the UK section of the recently published ‘Employee Data Privacy in Europe’, in association with the Employment Law Alliance. The publication looks at the transfer of personal data of employees outside of the European economic area; monitoring of employees and the use of social media.
To find out more and to view a copy of the publication click here.