Tim O’Callaghan is a partner in Druces LLP, specialising in advice to the fashion and luxury goods business. In this month’s column, he discusses a new European directive related to data protection.
By the time you read this, Brexit will or will not have happened. Whether it does or not, there is one European directive, which came into force on May 24, 2016, that is likely to pass into law in the UK as it relates to a hot topic, hotter even than the new Agent Provocateur campaign: Data Protection and Privacy.
If we are still in Europe, the requirement is for our government to bring in the legislation by May 25, 2018. If we’re out, the government is still likely to change data protection law in a way which follows the directive.
For those with an eccentric interest in the full title of EU Directives, this one is called the GDPR (Regulation (EU) 2016/679) and Data Protection Directive (Directive (EU) 2016/680).
It has already had the boards of large PLCs calling in their lawyers as the penalties for getting Data Protection wrong are going to be potentially massive. Under the directive, companies can be fined up to 4% of annual worldwide turnover for some breaches – much higher than previously.
All very interesting, my readers might think, but how does it affect me?
The fact is that if your business has the names and addresses of employees or customers kept in a paper file or on a computer, you are deemed to be ‘processing data’ and will therefore come within the provisions of the regime. We already have a set of data protection legislation in this country that rivals a La Perla twinset in the complexity of its construction, so what will be changing?
Aside from the penalties for non-compliance, the other main changes are:
• Expanded reach – catches data controllers and processors outside EU in relation to EU data subjects. This will be particularly relevant, not only to an American intimate apparel business trying to sell into the EU, but also to British businesses trying to sell into the EU if Brexit occurs.
• Direct obligations for data processors – Those businesses that process data will be required to implement organisational measures to ensure that they process that data in a compliant way.
• The establishment of a new “European Data Protection Board” – This will be set up to oversee the implementation of the directive and to exercise an advisory function.
• Onerous obligations on data controllers – Data controllers can be asked to demonstrate compliance with the directive, conduct impact assessments, implementation into systems.
• Consent – Data controllers will need to demonstrate that the data subject has given their consent freely. This will require a review of businesses’ online terms and conditions to ensure that the way in which they capture customers’ data is fully compliant.
• Duties to notify breaches – There is a duty on businesses that process data to notify affected data subjects of any breach of the data protection legislation. This means that if a business loses or inadvertently destroys a customer’s data, there is a duty on that business to ‘own up’ to the customer whose data was lost that a breach of the data protection legislation has occurred.
• Right to be forgotten – Individuals will now have a right, in certain circumstances, for their data to ‘be disappeared’ and to require businesses that process their data to expunge it from their records.
This intimate apparel solicitor will be advising his clients to get their data protection policies into order ahead of the change in the law and to:
1. Prepare for data security breaches – to review policies and ensure that they deal with the data subject’s right to notification for breach.
2. Establish framework for accountability – policies and cultures designed to minimise risk, impact assessments should be implemented.
3. Privacy by design – all multi-channel sales portals should be fully equipped to deal with the new directive.
4. Analyse legal basis of personal data use – businesses should review their data processing activity and ask what processing does the business undertake and what will it need to prove under the new regime.
5. Check privacy notices and policies – all privacy notices, whether on your website or elsewhere should be transparent and easily accessible.
6. Bear in mind rights of data subjects – how do these compete with the business’s legitimate interests and what if an individual tries to exercise them?
Following some very high profile and wide-ranging data leaks, such as ‘Wikileaks’ and the Julian Assange matter, the new directive tries its best to ‘put the toothpaste back in the tube’ and to redress the rampant collection, harvesting and processing of customers’ data by business. Whether it will succeed in this laudable objective, or whether once again the pace and method of data exchange in our brave new digital age will race ahead of the law, remains to be seen.