The General Data Protection Regulation (GDPR) will require organisations that process European personal data to have a comprehensive compliance program.
The new GDPR, which will replace the existing UK Data Protection Act 1998 (DPA), will be in force on 25 May 2018. The GDPR will be effective in the European Union (EU) immediately on this date without any further laws being required. Following the United Kingdom’s (UK) exit from the EU, the government will need to enact domestic data privacy legislation to replace the GDPR. The Queen’s Speech included details of a new Data Protection Bill which is likely to be the successor data protection law although the GDPR will remain relevant to UK businesses that target the EU market.
The GDPR has extraterritorial effect and applies to
The extraterritorial scope of the GDPR represents a significant expansion of EU data protection obligations to cover all processing activities relating to EU-based data subjects.
When the UK exits from the EU by 29 March 2019, the GDPR will only continue to apply to a UK organisation to the extent that it falls within the extraterritorial scope summarised above. For purely UK processing activities relating to UK individuals, the GDPR will no longer apply although the UK is highly likely to have a broadly equivalent replacement data protection law at that stage for domestic processing activities. Therefore, the government will need to pass UK data privacy legislation in place of the GDPR for UK data processing and, perhaps, also processing of personal data of UK citizens by non-UK based organisations. The scope and stringency of this new legislation will be critical to whether the UK is still deemed to have “adequate” data privacy standards when it leaves the EU. This is, of course, relevant to whether or not data transfers to the UK from the remaining EU states are restricted or whether they are permissible without further obligations needed by those EU-based data exporters. The Queen’s Speech included details of a new Data Protection Bill which includes the following:
No other details of the Data Protection Bill have yet been publicised although it is likely that it will be more comprehensive in scope if it is to succeed the GDPR.
Most UK businesses are almost certainly going to need to transfer personal data to Europe and also to other countries outside the EU such as the United States. Currently, whilst the UK remains part of the EU, there are restrictions against transferring personal data outside the EU without consent from the individual, other than to certain “adequate” countries such as Canada or Switzerland or unless the business has in place a legally permissible mechanism, such as model clauses or binding corporate rules.
Where the GDPR applies to the processing of personal data, EU companies should conduct an initial assessment on whether it (or its affiliates) are acting as a data controller or a data processor in these processing activities.
The data controller is ultimately responsible for compliance with the data protection principles which are that personal data must be
Personal data is lawfully processed if the data subject has consented to the processing or a permitted derogation applies such as legal or contractual necessity. Further, there are strict conditions imposed on whether consent is validly obtained by the data controller.
The data controller must provide a privacy notice to data subjects regarding the processing of their personal data. The information in the privacy notice is summarised below and must be provided at the time of the collection of the personal data or, if it was collected via a third party, within a reasonable period of being collected. The privacy notice must specify certain information, and ensuring that privacy notices are compliant with the GDPR is likely to be a complex process for many organisations. The privacy notice must be concise, transparent, intelligible and easily accessible, written in clear and plain language, and provided free of charge.
There are also direct obligations on data processors under the GDPR regarding
The appointment of a Data Protection Officer (DPO) is required where there is regular and/or systematic monitoring of individuals or processing on a large-scale of sensitive personal data or criminal conviction data. Organisations can still appoint a DPO even if one is not required, but it should be clear that this is an organisational role rather than required under the GDPR. The DPO must be accessible to Europe-based individuals about whom the organisation processes personal data as well as the supervisory authority. He or she must be suitably skilled and experienced but also be able to provide training to staff. Where the DPO sits in an organisation is likely to be a difficult assessment. The role must be sufficiently resourced and independent to be effective and must also have access to management meetings and be involved in relevant business discussions but without conflict of any other role the DPO may have in the organisation.
Additionally, for organisations that are not established in the EU, a representative based in the EU should be appointed. Such an appointed representative may wish to have a letter of indemnity from the organisation to cover himself/herself from liabilities arising from this role.
The DPA does not have a mandatory data breach reporting obligation. The GDPR, however, does include a mandatory obligation to notify the data protection authority within 72 hours of becoming aware of the breach and without undue delay and, in certain circumstances, the individuals affected by the breach. The UK government will, therefore, need to decide if it will include a data breach notification obligation in the new data privacy legislation applicable after Brexit, either similar to the stringent GDPR requirement or an alternative obligation, perhaps with a longer notification period and which is triggered for significant data breaches only, which may be more pragmatic and more suited to the UK’s approach of business-friendly legal requirements.
Organisations can consider taking steps to prepare for the GDPR such as the following:
If you have any questions or would like more information on the issues discussed in this
LawFlash, please contact any of the following Morgan Lewis lawyers:
Gregory T. Parks
Mark L. Krotoski
W. Reece Hirsch