The EU General Data Protection Regulation and the incoming Data Protection Bill (UK) will introduce a range of new liabilities into the data protection landscape. Data controllers have been warned of a corresponding increase in data protection claims under the new regulatory regime for some time. These warnings have largely focused on the level of fines and new data breach response requirements. However, the brewing perfect storm surrounding compensation claims should also be firmly on solicitors' radars.
The Crown Commercial Service has published a procurement policy note (PPN) in relation to the new data protection legislation that will be implemented shortly. The PPN highlights the fact that the EU General Data Protection Regulation now strikes a more even balance between data processors and data controllers and requires organisations to act immediately to ensure compliance. As the new legislation will apply to the wider public sector, other public bodies may wish to apply the principles of the PPN.
The recently announced Data Protection Bill (which will replace the existing Data Protection Act) will transpose the EU General Data Protection Regulation (GDPR) into UK law and will be applicable despite Brexit. The new enhanced regime will affect all businesses that process data relating to an identified or identifiable natural person. Companies need to be actively preparing to ensure that they are GDPR compliant by identifying what steps are needed to comply with the regime.
The extent to which the data subject access request (DSAR) regime will change under the EU General Data Protection Regulation and how this will affect employers is becoming clear. For example, the fee for responding to a DSAR will be abolished and the deadline for compliance will be reduced. While there will be some practical differences, an employer that has appropriate systems and procedures in place to deal with DSARs under the existing regime will not need to radically rethink its approach.
Data protection law is set for a radical overhaul in 2018 and accountancy firms should be preparing now for the changes and the compliance challenges that this will bring. The EU General Data Protection Regulation (GDPR) is an attempt to harmonise data protection laws across Europe. The United Kingdom's recently announced Data Protection Bill (which will replace the existing Data Protection Act) will transpose the GDPR into UK law and will be applicable despite Brexit.
The EU General Data Protection Regulation left room for member states to introduce their own laws in certain areas, including in relation to employment law. As such, the government has now released the draft Data Protection Bill, which is the first glimpse of what will eventually evolve into the Data Protection Act 2018. The bill does not contain major surprises from an employer's perspective, but there is increasing emphasis on the importance of policy documents and record keeping.
The government recently issued a statement of intent to publish a new Data Protection Bill. The bill will bring into law the EU General Data Protection Regulation, which takes effect in the United Kingdom in May 2018 and will be the most comprehensive overhaul of data protection law this generation. The new regime for handling personal data has challenges for employers in their capacity as data controllers with increased rights for individuals and enhanced fines for non-compliance.
The cyber threat to UK businesses is ever increasing, particularly as hackers develop new variants and methods with which to target businesses. Businesses need to regard cybersecurity as a priority and should have risk management strategies in place to prepare and rehearse for cyber and data breach incidents.
The Information Commissioner's Office consultation on its draft General Data Protection Regulation Consent Guidance recently ended. Of key relevance to the insurance sector is the position that consent should not be a precondition of a service. As an insurance policy cannot be provided without 'explicit consent', the consent will have to be 'conditional'; that is, individuals will have to be told that if they do not consent, they cannot take out the policy.
Four significant decisions have recently affected how data controllers respond to subject access requests (SARs) under the Data Protection Act 1998. In one case, the court declined to enforce further compliance with a SAR as the data controller had already carried out proportionate searches and properly applied the privilege exemption. In the others, it considered the limits on a data controller's obligations when responding to a SAR.