Advisor: Keeping up-to-date with the personal data reforms

Given the technological advances that have taken place since the introduction of the Data Protection Act nearly 20 years ago, reform of data protection legislation is somewhat overdue.

The General Data Protection Regulations (GDPRs) have been adopted by the European Parliament and as a result, will become law in the UK on May 25, 2018.

The GDPRs impose a vast number of new obligations on both data controllers and data processors, and seek to evolve and harmonise the approach to data protection throughout the European Union (EU).

This will be particularly important for travel businesses where there is a lot of personal and sensitive data being processed, both inside and outside of the EU.

What are the key provisions of the GDPRs?

The GDPRs will apply to all businesses that monitor behaviours or provide goods or services to individual residents in the EU. The GDPRs change a number of key areas of data protection legislation, including:

Consent: The consent required by data subjects under the GDPRs must be clear, affirmative, unambiguous and freely given.

This is to ensure that data subjects are aware of the legal basis for which the processing of their data is taking place. Consent should not be provided through pre-ticked boxes, and more transparency is required.

Data processors: For the first time, obligations will be imposed directly on data processors. This includes obligations regarding accountability, breach reporting, record keeping and data transfer.

Accountability: The GDPRs impose more obligations on data controllers to be accountable, with the introduction of compulsory appointments of data protection officers (where large-scale monitoring or processing takes place), data protection impact assessments and data protection by design.

Children: Specific provisions regarding children and the need for reasonable efforts to be taken to verify consent in relation to children will be introduced.

Individual rights: The timelines, process and exemptions in relation to subject access requests will change and new protections are to be introduced including the right to be forgotten, the introduction of data portability and new profiling measures.

Breach notification obligations: Data processors are obligated to notify any breach they become aware of to the data controller, and the data controller is obligated to report any breach they become aware of to the regulator (and in some cases the individuals concerned) within 72 hours of the breach arising.

What are the implications for non-compliance?

In addition to bad publicity and reputational damage, the GDPRs introduce significant fines for non-compliance. The fines adopt a two-tiered approach. The first tier, for less serious breaches (such as failure to keep the records), is up to 2% of the business’s global annual turnover or €10 million (whichever the greater).
The second tier is for more serious breaches (such as data transfers) and is up to 4% of the business’s global annual turnover or €20 million (whichever the greater). These fines are huge and businesses should take compliance seriously.

But what about Brexit?

The government has confirmed that as the UK will still be a member of the EU in May 2018, the UK will adopt the GDPRs as any other member would. This does not mean that the UK won’t amend data protection legislation following Brexit (although substantive change is unlikely), but it does mean that the GDPRs will become law in the UK from May 25, 2018.