Businesses urged to prepare for new data processing regulations
The Information Commissioner’s Office (ICO), which oversees data protection in the UK, has urged businesses to prepare for major regulation changes coming into force next year.
The General Data Protection Regulation (GDPR) is an EU initiative to harmonise data protection across the European Union and it will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect that commencement date.
The GDPR will contain provisions similar to the existing UK Data Protection Act (DPA) but will be broader in scope.
It will apply to both the ‘controllers’ and ‘processors’ of personal data. The definitions are broadly the same as under the DPA – ie the controller says how and why the data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The ICO has offered some guidance to businesses and urged them to prepare for the changes. These are some of the key points:
Personal data
Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data”. These categories are broadly the same as those in the DPA, but there are some minor changes.
For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
The ICO has urged business to make sure they’re fully prepared for the changes. In a statement, it said: “”Any contracts in place on 25 May 2018 will need to meet the new GDPR requirements.
“”You should therefore check your existing contracts to make sure they contain all the required elements. If they don’t, you should get new contracts drafted and signed. You should review all template contracts you use. It would also be prudent to make sure that your processor understands the reasons for the changes and the new obligations that the GDPR puts on it.
“Your processor should understand that it may be subject to an administrative fine or other sanction if it does not comply with its obligations.””
Please contact Sarah Liddiard if you would like more information about the issues raised in this article or any aspect of data protection law.