Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.

Eight things businesses definitely need to know about changes planned for data protection

Ross McKenzie - Burness Paul llb
Ross McKenzie - Burness Paul llb

The way organisations handle personal information will need to go through some significant changes in the coming years to accommodate the biggest change to the data protection regulatory framework since the early nineties. On Data Protection Day (Thursday 26 January), it’s a good time to give some thought about what you should do to prepare.

The European authorities have been thrashing out a new set of rules for the last four years which will update the well-known UK Data Protection Act 1998. The Data Protection Regulation will overhaul the existing regime to bring the law up to date, taking into account the digital economy.

The new rules still need rubber stamped, which is expected around Easter, but we have a good idea of what rules need to be planned for when handling personal data like customer records or personnel files. The most significant changes include:

 

1) Greater Fines

Penalties for non-compliance are going up significantly from the top fine of £500,000 up to the greater of 20 million euros or 4% of annual worldwide turnover. This is one way to get the attention of colleagues who think the regime isn’t relevant.

2) More Fines

The Regulation appears to expect monetary penalties to be issued for breaches of the regime which we would not have seen before such as mishandling subject access requests.

3) Data Breach Notification

The Regulation will require organisations to notify their local regulator within 72 hours where there is a breach likely to result in a high risk to the rights and freedoms of individuals. Those affected will also need to be notified. At the moment there is no formal requirement to notify breaches, but it is encouraged.

4) No More Registrations

The requirement to notify the regulator annually that you process personal data has gone. Instead, an organisation must maintain internal documentation on what they do with personal data. Record keeping will be critical and “privacy impact assessments” will be required where processing data is high risk.

5) Requirement for a Data Protection Officer

The Regulation requires some organisations to appoint a Data Protection Officer. Those organisations are (a) public authorities; (b) organisations which monitor people on a large scale; and (c) organisations which use sensitive personal data. This area will inevitably involve some negotiation further consideration over the next two years to determine what organisations will be affected. However given the greater responsibilities in the Regulation, it is likely that we would be recommending an officer is in place as a matter of course.

6)One Stop Shop Rule

If you operate an organisation with activities in multiple European Member States, you will only need to be accountable to the regulator in the territory of your main establishment.  However local authorities will still have some scope to investigate local cases.

7) Consent

If you rely on consent of an individual to use their personal data, this will need to be reviewed because the Regulation now expects consent to be “freely given, specific, informed, and unambiguous” with regards to their wishes. If you handle sensitive information like medical records, “explicit” consent is needed which is unchanged from the existing regime.

8) Right to be Forgotten

The Regulation formally recognises the right for an individual to ask for their data to be erased by an organisation without undue delay where: (a) the data is no longer necessary for the purposes collected; (b) the individual withdraws their consent; or (c) they object to the processing.

 

The rules will not come into force for another two years so there is some time to get to grips with the changes. We would be recommending that 2016 is spent embedding privacy practices into your organisation through training and including privacy issues as an agenda item in management meetings before using the time in 2017 to update policies and procedures once the practical effects of the changes are more understood.

Ross McKenzie is a qualified data protection practitioner at Scottish law firm, Burness Paull.