Data privacy: the countdown to May 2018

European privacy laws will undergo their greatest shake-up for 20 years with effect from 25 May 2018. That may seem a long time away, but there is much that law firms and their clients will need to comply with.

The General Data Protection Regulation (GDPR) primarily applies to EU businesses. It will also apply to businesses based outside the EU that offer goods and services to, or monitor individuals in, the EU. Despite Brexit, UK businesses will still need to comply, and the UK’s supervisory authority will be the Information Commissioner’s Office (ICO).The regulation will apply to all client, supplier, employee, and partner data. It will also apply to a firm’s marketing data and lists of prospective clients and contacts. GDPR significantly changes the scope of regulating the processing of personal data, particularly, for example, for sensitive personal data such as genetic and biometric data. It will also become much harder to process information about criminal offences in some member states.

Consent and rights

Obtaining an individual’s consent to process sensitive personal data or to transfer personal data outside the EU must now be explicit, and will become much harder to gain under GDPR. Consent can also be withdrawn at any time. For those organisations dealing with children, consent from a child regarding online services will have to be authorised by a parent. The regulation considers a child to be under 16, but member states can seek to reduce this to just 13. Children’s ‘right to be forgotten’ will also become stronger.

The regulation preserves the existing rights of individuals to access and rectify inaccurate personal data, and to challenge automated decisions about them; it also retains the right to object to direct marketing. Significant new rights for individuals include the ‘right to be forgotten’ and the right to data portability: these new rights are complex and it is not yet clear how many will operate in practice until the ICO has finished its consultations.

Your accountabilities

Under GDPR, you must not only comply with the general principles, but also be able to demonstrate that you comply with them.

Firms must appoint a data protection officer (DPO). The DPO must be involved in all data protection issues and cannot be dismissed or penalised for performing their role. The DPO must report directly to the highest level of management in your organisation, but cannot be involved directly in the IT function.

The regulation also requires firms to keep personal data secure, possibly even via encryption. Controllers must report data breaches to their supervisory authority within 72 hours (unless the breach is unlikely to be a risk for individuals). You may also have to tell affected individuals.

The regulation also prohibits the transfer of personal data outside the union, unless certain conditions are met. Requests from foreign regulators may be particularly challenging.

The penalties

There is a step-change in sanctions. Regulators will be able to issue fines of up to 4 per cent of total turnover or €20m for data breaches, and fines of up to 2 per cent for administrative breaches. As regulator, the ICO will have wide-ranging powers to audit you, issue warnings, and issue a temporary or permanent ban on processing. Individuals can sue you for compensation to recover both material and non-material damage (e.g. distress).

How, why, and where we keep and use data about people is coming under ever closer scrutiny. All law firms will need to comply – and strive to ensure their clients and suppliers do too. Despite the regulation’s implementation being little more than one year away, there is still much about the ICO’s approach to be clarified – and much to be done.

For more information about GDPR see the ICO’s website: ico.org.uk/for-organisations/data-protection-reform/.

Andrew Pincott is director of marketing and business development at Kreston Reeves

@KrestonReeves www.krestonreeves.com