The way in which we conduct our everyday lives has changed significantly over the last 20 years, with more of our daily personal and business interactions taking place using the internet. The UK’s Data Protection Act of 1998 was not designed with today’s digital citizens in mind, and a more robust and comprehensive framework has been needed for a long time. From 25th May 2018, the EU General Data Protection Regulation (GDPR) comes into force, replacing the 1998 Act, and will provide an effective and consistent approach to the protection of personal data across all 28 countries of the European Union. Anticipating Brexit, the UK Government is well advanced with its plans to adopt equivalent requirements from GDPR into replacement UK legislation. The Information Commissioner’s Office (ICO) provides full details and is continually updated with new guidance.
So what does all this mean for us as citizens – the subjects of this personal data?
GDPR will require all organisations to comply with important principles in relation to the processing of our personal data. One of these core principles is “Data Protection by Design and Default”, which requires them to implement appropriate technical and organisational controls into their processes and systems. Put simply, they will need to identify and manage any risks associated with the proposed data processing activity:
Bringing these many requirements together, organisations will need to prepare and document a formal “Data Protection Impact Assessment” to demonstrate that personal data is not being subject to unacceptable risks when processed.
All data processing activities need to be “lawful”, which means that at least one of the six requirements described within Article 6 of GDPR needs to apply. These include data processing being necessary as part of the organisation’s performance of a contract which they may have with us as a customer or service user, or perhaps their need to meet legal obligations placed upon them (for example, communicating our personal data to tax or law enforcement authorities). Another legal basis relates to our choice to provide our “explicit consent” for our personal data to be processed for a specific purpose: this needs to have been freely given and we can vary or withdraw consent at any time. GDPR provides special conditions which must be satisfied for the management of consent in relation to children.
Whilst businesses will need to fully comply with GDPR, as citizens we also have a role to play by understanding and, where appropriate, selecting how our personal data is being processed and by whom. We can expect that data processing organisations will publish “privacy notices”, either on their websites, online application forms, or on documents, and we should take time to read and understand the details provided. These notices will, for example, declare any third-party organisations who may be involved in processing data, or the countries in which data processing will take place. It is common that these privacy notices will also explain the rights which we have as data subjects.
GDPR provides a wide framework of rights for data subjects (that’s us as individuals), which we can choose to exercise at any time without cost. We can, for example, require that an organisation tells us whether they are processing our personal data, and if so for what purpose. We also have the right to request that any inaccurate or incomplete personal data is promptly corrected. As appropriate, data subjects can object to specific types of data-processing activity, and if required request that their personal data is moved to another data processor. Finally, we can request that our personal data is deleted if it is no longer needed by the data processor and there is no other valid reason for them to retain it.
Perhaps the most notable headline from GDPR relates to the significant financial penalties which can be applied to organisations who have failed to comply with the requirements of the new Regulation, or who are found to have been subject to a personal data breach. These can be as high as €20m (approx. £17m), or 4% of global turnover if higher, and are expected to be a sufficient enough incentive for organisations to ensure that they have implemented GDPR thoroughly. As data subjects, we not only have the right to complain to the ICO about matters relating to the processing of our personal data, but we also have a civil right under GDPR to seek compensation if we consider that we have been harmed in some way by such processing.
In summary, whilst GDPR will require careful and thorough implementation by all organisations which process our personal data, it will undoubtedly help to remove many of the issues and risks associated with our use of modern-day technology and communications. As data subjects, we should welcome GDPR as a long-overdue protector of our rights and privacy, but we must also maintain awareness of our personal data and make sensible decisions about how we want it to be processed and by whom.
(You can read more about the Ci Digital Rights project, which looks at the implications of GDPR for individuals, here: https://www.corshaminstitute.org/digital-corsham-gdpr-for-the-citizen)