That was before the days when you could sit on the train with your smart phone checking up on your friends on Facebook, tracking the location of the Uber taxi that’s coming to collect you from the station, planning flights for your next beach holiday or making a few quick bank transfers. Whilst it’s all very convenient to be able to do these things anytime, anywhere, every single action that you take on your smart phone, your i-Pad or even your desk top can be tracked and stored seemingly in perpetuity. For these reasons, a shake-up of data protection law is needed to make it fit for the 21st century and beyond.
In May 2018, new legislation – the General Data Protection Regulation (“GDPR”) – will come into force. It extends the rights that individuals currently have under data protection law, introduces a new culture of “accountability”, and increases the penalties and obligations that arise when organisations breach individuals’ rights.
The Information Commissioner, in a speech to the ICAEW in January, commented: “We’re all going to have to change how we think about data protection”.
She made it clear that the changes would be significant, and were designed to protect rights in a world in which “a lot of people feel that they’ve lost control of their own data”.
The definition of “personal data” under the new law is more detailed than under the current legislation, reflecting changes in technology and the way in which organisations collect information about individuals. For example, online identifiers – such as an IP address – will be personal data under the new regime, as will data which has been key-coded (or “pseudonymised”) provided that it is not too difficult to attribute the pseudonym to a particular individual. However, it is not only new technologies that are covered. Manual filing systems will in future be more widely defined, so that a set of papers arranged simply in date order (which would not be included as personal data under the current law) are likely to be covered.
Accountants and other professionals deal with personal data every day. Examples include: HR records; clients’ payroll information; expenses details showing who travelled to where and when; and customer marketing information such as which Managing Directors enjoy being entertained at the rugby…
Some of the important changes to data protection law, strengthening individuals’ rights, are:
Probably the most significant change will be to the consent requirements. Organisations will no longer be allowed to rely on silence, pre-ticked boxes or inactivity to signify consent to the processing of personal data. Instead
This will cause a problem for organisations currently processing data which are unable to prove positive consent –
when the new legislation comes into force, they will have to either find an alternative legal basis for processing the data, or they will have to cease processing the data.
In her speech to the ICAEW, the Information Commissioner made it clear that she expected organisations to move away from seeing data protection as a “box ticking exercise” towards building a “culture of privacy that pervades an entire organisation”. She emphasised the business benefits of being perceived as an organisation which respects the privacy of individuals, and foresaw that this issue could well play a role in consumer choice.
However, for those organisations that do not take data protection legislation seriously, there is a big stick. The Information Commissioner’s Office (“ICO”) has not held back from using its current powers to enforce the data protection legislation. Three recent examples demonstrate the approach:
An employee of a recruitment agency emailed personal data of 100 clients and potential clients to her personal email address as she was leaving to start a new role at a rival recruitment company. She used the information to contact those individuals in her new job. She was prosecuted at Warrington Magistrates’ Court for the offence of unlawfully obtaining data. She pleaded guilty and was fined £200, ordered to pay costs – and of course now has a criminal record.
The new legislation will be backed by high penalties for breaches
Organisations will have to self-report certain data breaches to the ICO within 72 hours.
So, the message is clear. All organisations – no matter how small – must start preparing for May 2018. As the Information Commissioner warned the members of the ICAEW,
“If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that damage their bank balance or business reputation.”
Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.