Global Data Protection Regulation (“GDPR”)
GDPR (the “new regulation”) will be introduced to the UK on May 25, 2018. This new regulation replaces previous data protection regulation and introduces, amongst other things, the ‘right to be forgotten.’ We have prepared a brief overview of the changes brought about by the new regulation and how they may affect you, your clients and your business.
The main topics we will be discussing are:
- Unambiguous consent
- The right to be forgotten
- Changes to subject access requests
- The Regulation and children
- Penalties for non-compliance
- The effect of Brexit
Definitely maybe
The new regulation states that clear, unambiguous consent must be given. This means that silence or non-action will not constitute consent, nor will pre-ticked boxes with a signature at the end of a form. The client must therefore actively consent to a specific course of action and their data must only be used for the purpose(s) for which they give consent. Should businesses wish to process client data for a separate purpose, they must obtain separate, explicit consent for that specific situation. Clients must also be told, in advance of consenting, that they may withdraw their consent at any time. If the manner in which the client gives consent is not in plain English, and not in a format that is easily distinguishable from other pieces of text (eg. terms and conditions), then this consent will not be binding. In summary, there should be no room for doubt that the client has given explicit consent. In addition, withdrawal of consent must be easy to access and to understand.
If you find that you have ‘blanket’ or conditional consent in any of your contracts with clients, or with your employees, it is likely that they will no longer be enforceable once GDPR comes into force.
Here today, gone tomorrow
Under the new rules, clients will have the right to be forgotten. The main idea behind this is that personal data must be deleted if there is no ‘compelling’ reason to keep it. This is not an absolute right but businesses must comply in the following circumstances:
- Where the personal data you collected for a particular purpose is no longer relevant
- Where the client withdraws their consent (as described above)
- If there is no legitimate reason for you to process the data
- If the data was unlawfully processed
- If a business has to delete it to comply with a legal obligation
First, you should always determine if you have a lawful basis for processing client information. Once a client’s personal data is in your hands, you must tell the client what happens to it and how you will protect it in respect of your role as a product provider, advisor, administrator etc and more generally as a data controller or data processor. Clients will still have the right to obtain confirmation of how their data is being processed (e.g. when making an application), and they must be able to obtain access to their personal information at any time (e.g. data subject access requests).
Easy access
Clients have always been able to request copies of all data you hold on them via a data subject access request. However, one of the principles of the new regulation is that it should be free and straight-forward for a data subject to obtain access to the information that a company holds them. The timeframe for complying will reduce from 40 days to one month, and companies will no longer be allowed to charge for this function. However, a ‘reasonable’ fee can be charged if the request is ‘manifestly unfounded’ or would lead to ‘excessive workloads’. The terms ‘reasonable fee’, ‘manifestly unfounded’ and ‘excessive’ have not been defined by the new regulation; it is unclear what companies could charge and in which circumstances, until there are either legal precedents set or further guidance is published. The timeframe for providing such data can be extended from one month to two months where the requests are ‘complex’ or ‘numerous’ but, again, what constitutes ‘complex’ or ‘numerous’ is not defined within the new regulation.
Taking responsibility
The person who has Parental Responsibility (as defined by HMRC) for a child must be the person providing consent eg. to open an account or purchase a financial product or an online service where a child’s data is processed and the child is under 16 years old.
Fear not
The maximum fine for a breach of data protection legislation will rise from the current maximum of £500,000 (for severe breaches) to the greater of EUR 20 million or 4% of the business’s total worldwide annual turnover. However, as Jonathan Davidson of the FCA pointed out in his recent speech, we should be aiming for an ethical-based culture, not one based on fear or financial incentives/penalties.
Quick exit?
The Regulation was brought in to harmonise EU law. Even with the UK heading towards Brexit, the Regulation will continue to be relevant. We will inevitably see some changes regarding the mechanics of the Regulation, for example, how the UK’s ICO may change but we will know more once exit plans have been proposed/finalised.