The UK Government published its new data protection bill and in doing so removed any lingering doubts that it would continue to uphold EU privacy rules regardless of Brexit.
The EU General Data Protection Regulation (GDPR) is due to come into force in the UK and other member states on 25 May 2018. The GDPR is the EU’s response to a huge increase in cross-border flows of information aided by rapidly developing technology which together present severe challenges for the protection of personal data.
The UK Government sees the current Data Protection Act as part of its “gold standard” approach to regulation, while acknowledging that the law needs to be substantially updated for our increasingly digital economy and society. The Government therefore proposes repealing the 30 year old Data Protection Act and replacing it with a new law that retains the concepts of the current legislation while complying with the GDPR in full, so as to enable businesses to operate across international borders even after Brexit.
Since a failure to comply with the GDPR could risk fines far in excess of the current level meted out by the Information Commissioner, it is vital that the energy industry takes steps now to prepare for life under the new rules. Even international group companies, who traditionally saw themselves as safely beyond the reach of EU data privacy laws, must now pay special attention. This is because from next May energy companies will be caught by the GDPR if they are outside the EU, but processing personal data while monitoring the behavior of individuals inside the EU or offering them goods and services.
At Offshore Europe, Oil and Gas UK set out its vision for the sector until 2035. Part of this vision is anchoring capability and expertise in the UK by delivering sustained investment in technology. With this in mind, it is worth noting the GDRP’s requirement that the design, development and selection of any application or product that processes personal data should have privacy considerations at its heart through a system of data protection “by design and default”.
Gone is the obligation for data processors to register with the Information Commissioner’s Office (ICO). In its place come onerous obligations to demonstrate compliance with the new law, including maintaining records of processing and the carrying out of impact assessments in advance of processing that is likely to present a high risk. A detailed yet concise data privacy notice will need to be provided to data subjects explaining the way their data is being handled. This notice must summarize the newly acquired rights of individuals: their right to access personal data for free within 30 days, to have it made ‘portable’ and transferred to another organisation, and to have such data erased, rectified or not processed at all.
The mechanism whereby business processes personal data on the basis of consent (a route already doubted by European data authorities particularly in the employment context), has now been made even more uncertain by the requirement that consent must be “freely given, specific, informed and unambiguous”. This will require a fresh analysis of the personal data being processed, and whether there are other lawful grounds under the GDPR (outside of consent) for doing so.
It is something of a relief that despite the recent demise of the US Safe Harbour regime, and continued questions about its replacement, the Privacy Shield, transfers outside the EEA will still be permitted, provided adequate safeguards are in place such as EU model clauses, binding corporate rules, or membership of soon to be developed certification schemes.
Those organisations whose core activities consist of regular and systematic monitoring of individuals on a large scale, or processing special categories of data on a large scale (e.g. health or criminal records) will be required to appoint a data protection officer (DPO). The DPO is to lead the charge for compliance at a senior level, as well as being the figurehead for dealings with data protection authorities and aggrieved individuals.
Businesses that process personal data on behalf of and under instruction from third parties (data processors) will find themselves for the first time subject to direct obligations under the GDPR covering much of the same ground described above. In preparation for these changes, data controllers and data processors will need to re-visit and re-negotiate any current data processing agreements.
The changing enforcement landscape is the key driver for a coordinated and comprehensive approach towards the GDPR. Under certain circumstances, data breaches that lead to personal data being compromised will need to be notified to the ICO within 72 hours of becoming aware of such breach. Individuals will also need to be notified without undue delay if a high risk to their rights and freedoms is likely. Ultimately, breaches of the GDPR could lead to fines of up to €20m or 4% of annual worldwide turnover. Taking steps now to put in place a robust and pro-active approach towards compliance by the time the new rules come into force from 25th May next year, is the best way to ensure that sanctions of this size will not come into play.
Penelope Warne is the senior partner & head of Energy at CMS.