New data protection rules are about more than providing the ‘right to be forgotten'
MUCH of the media coverage of the General Data Protection Regulation (GDPR) has surrounded its protection for people who want the ‘right to be forgotten'. It is anticipated that this will apply mostly to the millennial generation that has grown up using social media.
Although not an absolute right, it means that those who want their image removed from social media or elsewhere can now ask for it to be erased, together with any links to - or copy or replication of - their personal data. The new maxim is ‘delete it, freeze it, correct it'.
But while the ‘right to be forgotten' may have taken many of the headlines, it is by no means the only change in what is regarded as the most seismic overhaul in data protection in over 20 years.
The essential purpose of GDPR, which comes into effect next May, is to ensure a greater level of consistency in terms of data protection throughout Europe. It is to be introduced across the EU, including the UK, regardless of Brexit negotiations.
The UK already has a very advanced data protection regime and the Data Protection Act 1998 has many core concepts and principles that are aligned to GDPR. However, there are some important changes that businesses must be aware of and prepare for.
There will be an emphasis on so-called ‘pseudonymous data', or ‘key coding', so that if data is inadvertently released it will be more difficult to decipher, thereby reducing the risk to the individual concerned.
Profiling, a useful tool for marketing and advertising, will be subject to scrutiny under the new regime. This includes most online tracking and behavioural advertising, with GDPR making it harder for businesses to use data for these activities.
A new standard of consent will be introduced, which will be defined as ‘any freely given, specific, informed, unambiguous indication of the data subject's wishes'.
It means that a reliance on silence, pre-ticked boxes, or inactivity will be unlikely to meet the new standards.
People will also have the right to object to data being processed and transported directly from one data controller to another.
New time limits on the supply of requested information will also be introduced, with the current 40 calendar days to be replaced by a limit of one month, and the information to be provided free of charge.
Meanwhile, for those organisations that process data, there will be new liabilities under GDPR. Any data breaches must be notified to the supervisory authority (the Information Commissioner's Office) without undue delay and in any case within 72 hours.
Given the magnitude of change included in GDPR, organisations should begin the process of conducting a data audit and ensuring transparent internal policies are in place which integrate safeguards into processing, such as encryption.
To adhere to the new standards, companies will be expected to consider state-of-the-art technology and implement appropriate technical and organisational measures. They will also be required to have procedures for redressing poor compliance and breaches, and must appoint a data protection officer to oversee compliance.
Failure to comply with the new rules could lead to businesses facing major fines, which can range from £9m to £18m, and having to cover the costs of compensation for affected parties.
By preparing now and seeking expert legal advice, businesses can reduce their risk of a data breach in the future, and avoid facing financial penalties and the associated negative publicity.
:: Rosemary Lundy is employment law partner at Belfast law firm Arthur Cox,