On 15 December 2015, “informal agreement” on the text of a new European General Data Protection Regulation (GDPR) was finally announced, just short of four years after it was first proposed by the European Commission. Assuming the Council and the Parliament vote in favour of the current text in the next few months (as everyone is expecting them to), and barring any unexpected developments (e.g. a UK exit from Europe) the new GDPR will come into force in the UK in early 2018.
By anyone’s standards, the GDPR is a monster piece of legislation. At over 200 pages including Recitals, it will take regulators and organisations (and indeed lawyers!) some time to fully absorb its implications. And for HEIs trying to comply with it on a day to day basis, much will depend on how the UK regulator decides to interpret the new law, and on its approach to enforcement, especially in the early days.
Some things, though, are already clear. Most significantly, the GDPR will introduce much higher maximum fines (up to 4% of global turnover, or Euro 20 million, for the most serious breaches). Notifying the regulator of security breaches, usually within 72 hours, will become compulsory in some circumstances. Privacy and data collection notices, and data processing clauses in contracts, will become longer and more heavily regulated. And new concepts like “privacy by design”, the “right to be forgotten” and “data portability” have survived in the compromise text, despite heavy opposition from some quarters.
But it’s not all doom and gloom. A lot of the worst excesses of earlier drafts have not made it into the compromise text. For example, security breaches need only be reported to the regulator if they represent a risk to individuals, and only to the individuals affected if the breach represents a “high risk”. So the regulator (and individuals generally) will not be staggering under the weight of constant notifications of data security breaches that don’t matter to them, as we feared back in 2012. The much-reported increase in potential fines will certainly raise the stakes on compliance, but organisations should keep in mind that they are maximums: just as we haven’t yet seen a single penalty of £500,000 (the maximum fine under the current law), it may be quite some time before we see one of Euro 20 million.
The Information Commissioner’s Office (ICO) is also right to comment that “there are many parts of the legislation that won’t be that new to us”. For example, the GDPR raises the standard of consent, specifying that it must not be a condition of concluding a contract or receiving a service, that it must be “clearly distinguishable” from a written declaration on other matters, and (in the recitals) that it must freely given, specific, informed and unambiguous. But much of this has been good practice (if not the law, as interpreted by the ICO) for a long time. Rather than introducing a completely new regime, in many ways the GDPR simply elevates existing good practice (with which HEIs will already be familiar, and in many cases already complying) to a legal requirement.
There may even be some nice surprises in the “small print”. For example, the GDPR (unhelpfully) reduces the deadline for responding to most Subject Access Requests (where an individual requests a copy of his or her own personal data) to 30 days from 40, and removes the £10 fee. However, it also introduces some new and potentially very welcome caveats to the Subject Access right, allowing an organisation to delay its response to complex and multiple requests for a further two months; and to completely refuse a request which it can show is “manifestly unreasonable” (or at least charge a “reasonable fee” for responding, which presumably could be rather more than the current “token” £10 fee).
More generally, whilst no-one would deny that the GDPR will mean more work on data protection compliance for HEIs (largely before and during its implementation, but also on an ongoing basis) – even this may have a silver lining. Rapid changes in technology, the explosion of “big data”, and a growing awareness of privacy issues has meant that data protection compliance has often been ad-hoc and reactive. Many organisations find that that they can’t use data in the way they would like (at least not without risk); or that systems already in place make compliance very difficult. Those responsible for compliance within HEIs may find that the GDPR is just what they need to motivate management (and colleagues) to make a “fresh start”, enabling them to make better use of data going forward, and reduce the risk of costly and embarrassing breaches – even if it means a bit of investment at the outset.
If you require further information on anything covered in this briefing please contact Helen Mulligan (firstname.lastname@example.org; 020 3375 7196), or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Higher Education page on our website.