Data Protection Law in 2016 and beyond – More Iron Fist, Less Velvet Glove
Commentators on online privacy and data protection have long predicted a “tipping point”, where the public would finally realise the impact of sharing (and the growing economy based on) their personal data. In the information age where businesses, platforms and brands are targeted around the habits and demographics of their users, knowledge truly is power. The use of that knowledge and the data underpinning it has been taken increasingly seriously by legislators, leading to the original EU Data Protection Directive in 1995, reflected in UK Law by the Data Protection Act 1998.
The foundations of the Directive were all very noble and (comparatively) straightforward, imposing standards and restrictions upon any organisation relating to the collection, control and distribution of “personal data” relating to identifiable and living individuals, who were given specific rights as “data subjects”, including access to any personal data (to a certain extent) held about them by a “controller”, details of how and to whom that data was being used and disclosed, to make objections to that use in certain circumstances and to be compensated where damage was suffered as a result of “unlawful” processing.
Since then, Data Protection has long been seen as “the new Health & Safety”, with many businesses relegating their compliance obligations to the foot of the to-do list, or worse, ignoring them completely amidst complaints that Data Protection law is too complex, impossible to comply with and based upon an unattainable “counsel of perfection”. That hasn’t deterred the Information Commissioner’s Office from being increasingly willing to use the wide range of sanctions (including significant monetary penalties) at its disposal against businesses that misuse personal data or don’t take proper steps to ensure its security.
However, the issue is about to move significantly higher up the corporate and legal risk agenda following the publication of the EU General Data Protection Regulation during December 2015. Although the GDPR isn’t expected to be implemented before the end of 2017, it’s worth thinking now about how to plan for the impending changes and recruiting for a Data Protection or Privacy Officer, as you’re probably about to need one.
The GDPR does raises a number of new issues for businesses to get to grips with, the headlines being a further broadening of the scope of what constitutes “personal data” (meaning that businesses will need to go back to basics and assess not only what data they have, but how it’s used); the guiding concept of “privacy by design”, mandatory reporting of any data breach which is likely to result in a high risk for individuals (including financial loss, distress and identity fraud) within 72 hours, the introduction with a vengeance of the “right to be forgotten” (adding greater compliance obligations) and increased monetary penalties (from £500,000 to potentially 4% of global turnover).
Helpfully, the ICO has made 5 key suggestions for businesses looking to skill up before the GDPR becomes law, focussing on assessing how and where consent for processing is obtained from individuals, accountability and record-keeping, staffing up to ensure that businesses have the right expertise to deal with new obligations and planning in peacetime for when, not if, a breach takes place.
Planning now will save a lot of headaches in the long run; the alternative of being either fined by the ICO or sued by disgruntled customers as part of what will be the next iteration of high volume litigation is less attractive than ignoring what’s coming your way. Now, and in the future, with big data comes big responsibility.