The New Data Protection Regime: Preparation and Preparedness from the GDPR to New Issues

Introduction

The issues facing companies and organisation when complying with data and the new data protection regime (GDPR) are expanding. Some of the key essential developments and issues that companies, organisations and their Data Protection Officers need to be on top of are referred to below.

  • The GDPR

Everyone should have heard of the new General Data Protection Regulation (GDPR). This is the single biggest legislative development in over 20 years. It brings significant updates, changes, new rights, new obligations and significant new penalties. Now it is up to all companies and organisations to ensure they are properly equipped to comply with the GDPR.

  • The New Data Protection Act

As part of the UK complying with the GDPR, it is necessary to update the old UK regime to ensure equivalence to the new GDPR measures. Without doing so, there would be substantial impediments to UK-EU data transfers, especially for services, in a post-Brexit situation.

  • EU-US Data Transfers

The area of EU-US data transfers has become much more difficult following a number of cases challenging previously understood transfer scenarios. The new EU-US Privacy Shield (replacing old EU-US Safe Harbour), and other data transfer legitimising mechanisms, need to be very carefully considered.

In addition, it remains to be fully seen what will occur in terms of UK-US data transfer in the post-Brexit situation, and equivalence to the GDPR and the EU-US Privacy Shield..

  • Data Breach Incidents

Unfortunately data breach incidents are increasing. This frequently involves personal data and has significant consequences commercially for companies – in addition to the new GDPR obligations. It is imperative that full compliance is ensured, especially as the new fines regime is so significant.

  • Insurance for Data Breach Incidents

Companies and organisations should consider appropriate insurance per se, but also as a means of complying with or complimenting the new data protection regime.

  • Preparedness and Preparations

Preparedness and team preparations for incidents arising is essential. One does not want to be dealing blind with a critical incident. Preparedness is also an obligation of compliance.

  • Risk Assessments

Advance risk assessment is a specific requirement under the new data protection regime.

  • Data Protection Impact Assessments

More specifically, specific types of data processing operation will require an assessment known as a data protection impact assessment per the GDPR.

  • Mandated Data Protection Officers  

While previously recommended, it is now broadly obligatory to appoint a Data Protection Officer (DPO) within the company or organisation.

  • Deletion, Take Down and the Right to be Forgotten (RtbF)

The GDPR refers to new and enhanced obligations in terms of when data must be deleted.

  • Security Requirements for Business

The GDPR, as well as the enhanced risk environment, obligate companies and organisations to enhance their security and prevention measures.

  • Children

Childrens’ personal data requires separate and additional consideration under the new regime.

  • Deletion Issues and Children

Following on from the above, there are additional considerations in terms of how long to hold data, deletion and takedown issues.

  • Deletion Issues and Students

There may also be particular issues to consider in terms of student personal data.

  • Employees

Employee monitoring and consent issues need particular compliance. Employee activities at home and off-site need to be included in these considerations.

  • Director and Officer Liability

There are now clear director and officer liability issues to be aware of, if not wary of.

  • Spam and Direct Marketing

Spam and direct marketing rules are changing, and therefore companies and organisations need to stay on top of the new rules.

  • Outsourcing

The relationship between the controller and the processor needs to be formalised in contract pursuant to the data protection regime and GDPR. Increasingly, more specifics of the relationship, activities, obligations and rights need to be detailed

  • Equipment

The disposal of computer hardware raises important issues. Particular care is needed when considering the disposal of IT hardware, equipment and software. They may still contain personal data files. This can continue to be the case even when it appears that files have been wiped or deleted. There are many examples of accessible personal data still being available even after it is believed to have been deleted and the device handed over to a third party, or worse, sold on. The new recipient could be able to access the original personal data and records. This could quite easily be a breach of a number of principles in the data protection regime. It is always advised to take professional legal, IT and or forensic advice when considering disposing of computer devices

  • Online

Website and social media compliance with the data protection regime demands careful consideration. This also includes online abuse and offline abuse.

  • Vehicles

Increasing technology means that employee, customer and user vehicles can be tracked and monitored. One should not assume this is permitted and the issues will require a careful analysis.

  • Location

Similarly, increasing technology means that employee, customer and user devices and phones can be tracked and monitored. One should not assume this is permitted and the issues will require a careful analysis.

  • Location Marketing

A subset of the above also arises in terms of location marketing possibilities.

  • Profiling

The dangers and benefits of profiling are increasingly debated. The GDPR expressly refers to and creates new obligations.

  • Smart Devices

The internet of things (IoT) and smart devices raise new issues and considerations, and are at least in part envisaged under the new GDPR rules.

  • Health Data

Health and fitness data, new devices, new collections, new uses, potential transfer disclosees e.g. insurance companies, banks, law enforcement, etc. need individual consideration. The GDPR provides new obligations.

  • Body Recognition

Body recognition e.g. facial recognition on CCTV, profiles and other images; and related issues of transparency, consent, new consent, backward recognition, present-future recognition (separate issues arise in relation to law enforcement, criminal law and evidence) are raising new issues and must be considered in the GDPR context – at the very least.

  • Cloud Services and Cloud Storage

Online cloud storage has been debated by companies and organisation for a number of years. The increasing popularity means enhanced data protection compliance considerations must be incorporated into commercial decisions, and compliance processes and documentation.

Localisation issues may also need to be considered.

  • By Design and By default

There is a new obligation to incorporate compliance via data protection by design and by default (DPbD).

  • Data Subject Rights

Citizens enforcing their data protection rights is a substantial focus of the GDPR, and hence organisational compliance. This also includes pursuant to the US Judicial Redress Act which is pursuant in part to and required by the EU–US Privacy Shield in order to extend protection in the US to EU citizens in relation to their personal data once it is in the US, effectively permitting EU citizens to sue in the US. How Brexit might affect this needs to be looked at.

Disclaimer: Please note that this blog only contains general information and insights about legal matters. The information is not advice, and should not be treated as such.

Dr Paul Lambert is a consultant, lawyer, adjunct lecturer and author of A User's Guide to Data Protection (third edition); The Data Protection Officer, Profession, Rules and Role; Gringras, The Laws of the Internet (fifth edition); International Handbook of Social Media Laws

Subscribe to the Bloomsbury Professional Law Newsletter

Law Online

Bloomsburyprofessionallaw Online research for solicitors and barristers practising in English law Free Trial

Need Help?

Bloomsburyprofessionallaw If you need any help with finding publications or just ask a question. Talk to an Advisor: 01444 416119
customerservices@bloomsburyprofessional.com
or send us a message