Written by Gemma Dixon, EL/PL Litigation Executive at Fletchers.
The General Data Protection Regulation (GDPR) will come into force tomorrow, on 25th May 2018.
Up until 25th May 2018, the data protection rules are governed under the Data Protection Act 1998, linked to the Data Protection Directive 1995. These rules were created to protect data held on computers and in paper filing systems.
Under the 1998 Act, an organisation could be fined up to £500,000 for a breach. From 25th May 2018, data protection rules will be overhauled with new legislation, known as GDPR.
The aim of the changes is to strengthen the protection of data in modern society, to be more transparent to members of the public, and to give individuals a right to control their data.
The main difference in the new legislation is that fines for breaches have dramatically increased. Penalties will be tiered dependant on the seriousness of the breach but they can be any sum up to 4% of the annual global turnover or €20 million (whichever is greater).
An individuals’ rights are now specifically listed as follows:
- Right to be informed
- Right to access
- Right to ratification
- Right to erasure
- Right to restrict processing
- Right to restrict portability
- Right to object
- Rights related to automated decision making, including profiling
Individuals will now have a right to ask companies to remove the data from their systems. However, certain companies should keep at least basic data to avoid any duplication in the future.
It will now be mandatory for a Data Protection Officer to be appointed and all breaches must be reported within 72 hours of becoming aware of the breach.
Whilst law firms and other companies will be swatting up on GDPR, it is not as easy for members of the public to understand. With this in mind, a website has been set up to briefly explain GDPR to members of the public: https://www.eugdpr.org/
Individuals will notice that they have received quite a few emails recently, some probably from companies that they did not even know held their details. If the emails are from a company that a person did not know they signed up to, or they no longer want to be registered with them, they can ask for their personal data to be removed/wiped. This is the right to erasure.
In short, an individual has a right to ask to be forgotten. With technology evolving as quickly as it does, even if an individual is forgotten, I doubt it would be long before they somehow find themselves found again. A lot of individuals do not realise that certain activities (e.g. posting a status on Facebook or entering a competition) automatically put you in the public domain. GDPR is meant to make these activities, and the permissions that you are giving, more transparent.
The issue of data protection was recently in the news when it was discovered that Facebook was failing to monitor Cambridge Analytica and allowed them to collect and harvest data from Facebook profiles without the individual users’ knowledge. When the news broke, the UK and USA Government promised to investigate this breach and also called for Facebook to be more regulated.
Another example of a data breach involved two individuals from an organisation who made several serious errors whilst travelling on a train. First of all, they both had their business laptops open and visible to passengers on the train. Secondly, they took business calls whilst on the train. Thirdly, they left their chairs to visit the buffet/bar and left their laptops open for anybody to hack in to. These actions all resulted in a particular passenger being able to identify the names of the members of staff, where they worked, the deal that they were negotiating, financial records and negotiation deals to name a few. Such actions could have resulted in a major hacking scam, but luckily the individual who witnessed all of this was not a hacker and did not snoop on the laptop. Further information on this example can be found here. http://www.lawsociety.org.uk/news/blog/overheard-on-a-train-how-i-could-have-ransomed-a-law-firm/
As the previous legislation was from the 1998 Act and 1995 Directive, it is understandable that technology and social media have taken a large leap forward since 1998 and so it is only right that an update was needed. Most records/data are now computerised, whereas, in 1998, a lot of data was paper-based.
Whilst the UK may be exiting the EU, the new EU data protection laws, for the time being, will still be applicable in the UK from 25th May 2018.
I believe there is a grey area with GDPR is in relation to obtaining medical records. It is my understanding that the GDPR states that an individual can obtain their own medical records and should not be charged. However, it is unclear if this extends to solicitors firms and other organisations obtaining such documents. Whether it refers to individuals only or not, I believe it would create a financial loss for GP surgeries and other medical institutions.
To summarise, the GDPR is coming in to force on 25th May 2018 and nobody can hide from it. It will affect all individuals and organisations. It will probably have teething problems and create confusion, particularly for members of the public, for the first few months. But I am sure that it will be easier to understand. GDPR is not foolproof and there will still be breaches.