The new EU General Data Protection Regulation (GDPR) comes into effect in May 2018 and will change the way we handle personal data. Where current data privacy legislation focuses on organisations and what they are permitted to do with the data they hold, GDPR places the emphasis on the rights of the individual. Its aim, in short, is to look after the privacy of the individual based on the premise that consumers and data subjects should have knowledge of what data is held about them and how that data is used.
In this article, we will review three specific UK/EU regulations and look at how GDPR will affect them going forward. These are:
- The Data Retention Regulation of 2009
- The Data Protection Act of 1998
- The EU Data Protection Directive
The Data Retention Regulation of 2009 made it mandatory for Internet Service Providers (ISPs) to retain individuals’ communications data. Under this legislation, it is the duty of a public communications provider to retain the communications data on telephone and internet access, including data on unsuccessful call attempts (missed calls) that are logged in the UK. The police and security agencies are able to request access to details such as IP addresses and time of use of every mail, phone call and text message sent or received, and internet service providers must store this data for a minimum of 12 months from the date of the communication in question.
This regulation was repealed by the EU, but the UK then passed the Data Retention & Investigatory Powers Act of 2014 to re-instate the regulation, a move that, according to media reports, was seen as controversial. This act allowed companies to track citizens’ use of the internet from the UK, and the information could be accessed by the police and security services without judicial oversight. GDPR will directly contradict this regulation, as under the new regulations, ISPs can only collect the minimum amount of user data necessary to run their business. Moreover, under the terms of GDPR, users must give consent for data to be collected and have the right to be forgotten.
The Data Protection Act of 1998 requires people who use data to follow ‘Data Protection Principles’ and ensure the data is used fairly and lawfully, and used for limited, specifically-stated purposes. This regulation requires people who use data to keep the data for no longer than is absolutely necessary and not to transfer it outside the European Economic Area (EEA) without adequate protection. In addition, there is stronger legal protection for more sensitive information, such as information divulging ethnic background, political opinions, religious beliefs, health, sexual health and criminal records.
The Data Protection Act gives users the right to find out what information the government and other organisations hold about them. Users can request a copy of the information an organisation holds about them, and the organisation is legally required to provide a copy of the information, unless the information is about the prevention, detection, or investigation of a crime, a national security issue, the assessment or collection of tax, or related to judicial or ministerial appointments. An organisation does not have to say why they are withholding information.
GDPR will impact this regulation slightly as the original Data Protection Act does not fully meet the GDPR’s rule that users have the right to be forgotten and that data cannot be freely transferred internationally. This regulation will need some tweaking, to ensure organisations are not storing personal information for too long and that data is not being transferred freely between the UK and the EEA.
The EU Data Protection Directive (Directive 95/46/EC) is a regulation adopted by the EU to protect all personal data collected for, or about, EU citizens, especially the processing, using or exchanging of such data. The EU Data Protection Directive is based on recommendations first proposed by the Organisation for Economic Co-operation and Development (OECD). These recommendations are founded on seven principles:
- Subjects whose data is being collected should be given notice of such collection.
- Subjects whose personal data is being collected should be informed as to the party or parties collecting such data.
- Once collected, personal data should be kept safe and secure from potential abuse, theft, or loss.
- Personal data should not be disclosed or shared with third parties without consent from its subject(s).
- Subjects should be granted access to their personal data and allowed to correct any inaccuracies.
- Data collected should be used only for stated purpose(s) and for no other purposes.
- Subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles.
The Data Protection Directive is superseded by GDPR, which was adopted by the European Parliament and European Council in April 2016 and will become enforceable in May 2018. The new regulation expands upon previous requirements for collecting, storing and sharing personal data and requires the subject’s consent to be given explicitly and not checked off by default.
In short, GDPR will impact many of the current data regulations in the UK. Personal information is now a lot broader, and includes many details that can be used to identify an individual. In addition, we, as a society, will have to update our definition of confidentiality, as in the future, users will have the right to distribute and rescind their data, even to the extent of giving it to a company’s competitor. One big thing that’s for sure is that the Data Retention Regulation for ISPs will need to change. As for the rest, it will be interesting to see how it all unfolds!
To read our GDPR – are you prepared? insight document, click on https://www.brickendon.com/solution/brickendon-insight-gdpr/ or to find out more about how Brickendon can help your firm assess what GDPR means for you, contact us on [email protected]