How the GDPR Will Be Enforced - Information Commissioner Sets Out Plans in Blog
The Information Commissioner has been writing a series of blogs to bring a dose of reality to all the concern over the introduction of the new data protection laws to replace the Data Protection Act.
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018, and there are plans for a UK Data Protection Bill that closely reflects the GDPR.
What Is in Store Under the New Regulations?
Amongst the headlines for the GDPR are fines of €20m or 4% of annual turnover (whichever is greater) for failure to comply. There are other changes such as data breach reporting, new obligations on data processors and higher standards for consent. However, the UK's data protection regulator, Elizabeth Denham, has sought to quell what she sees as 'scaremongering' and separate fact from fiction.
Yes - it is fact that the fines could dwarf the current maximum of £500,000 and be that big, in theory. However, the reality is that the regulator will not be making early examples of organisations for minor infringements or that maximum fines will be the norm. Ms Denham said she always preferred the carrot rather than the stick and that would not change.
She has vowed to use the powers to issue fines "proportionately and judiciously".
She said in her first blog of the series: "The UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world. And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand just as effective."
The Issue of Consent
In the second of her blogs, Ms Denham went on to address the issue of consent. She said another myth going around was that people could only use personal data if they had consent. If people do rely on consent, then the bar has got much higher - for example, making it easy to withdraw consent, using clear and plain language, and organisations need to ensure that the consent they already hold matches the higher GDPR requirement. However, consent is only one of a number of ways to demonstrate fair and lawful processing. Others include:
- the processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- the processing is necessary for compliance with a legal obligation
- the processing is necessary to protect the vital interests of a data subject or another person
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- the processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
This last option, in particular, is one that can be relied upon and is often an easier option than consent. It will not work in every situation, though, and sometimes consent may still be needed.
Ms Denham added that the final guidance on consent should be expected in December once the Europe-wide consent guidelines are produced; in the meantime, the regulator has already produced draft guidance on consent, which can be referred to for now.
Key Points for Organisations
There is no doubt that the changes in data protection laws are greatly important and organisations must start getting ready now. If the theoretical large fines have grabbed the attention and focused the minds, that may be a good thing. Organisations need to comply and protect personal data. Serious breaches could result in significant sanctions. The best way to avoid that from happening is to ensure compliance with the new law - then there is no need to worry.