Beverley Flynn, data protection partner at law firm, Stevens & Bolton, explores what changes to the rules regarding data protection will mean for retailers if Europe-wide proposals come into force
The data protection rules dealing with personal data are due to change dramatically in both Europe and the UK if major new EU-wide proposals are adopted. The current relatively ‘light touch’ UK data protection regime, which applies to businesses that hold personal data (data controllers) or process it on behalf of others (data processors), will be overhauled by an EU Regulation which will apply directly to the UK in place of the Data Protection Act 1998. The aim of the proposed EU Regulation will be to introduce:
- one set of data protection standards applicable to the use of personal data
- uniform application across all EU member states
- a more attractive model for businesses which operate globally
- a stricter regime for the UK than that experienced to date
The majority of retailers are affected by the Data Protection Act in some way. Retailers can be data controllers, for example, where they hold employee personal data, run a CRM (customer relationship management) database, or carry out online transactions which require customers’ personal details to be inputted. Examples of retailers appointing data processors include appointment of IT service providers, a pay roll firm to pay employees, or a third party distribution company to fulfil a customer’s requests on behalf of that business.
What types of changes are likely to be involved?
Abolition of notification: currently, businesses which act as data controllers are required to register with/notify the Information Commissioner’s Office (the regulator responsible for enforcement) and pay an annual registration fee. The requirement to register and pay the fee would be abolished, but replaced with new onerous obligations to keep detailed documentation, implement risk assessments and adopt internal policies and compliance procedures. (see below)
Adoption of new risk assessments, policies and compliance procedures: instead of the more formulaic notification regime, businesses (both controllers and processors) will be expected to adopt and implement risk assessments, internal policies and compliance procedures to illustrate their commitment to data protection. These will be open to review by the regulator who will have enhanced rights of audit.
Right to be forgotten: data subjects (ie individuals whose personal data is being held, such as customers or employees) are currently entitled to make data subject access requests to see what data is being held. Now, data subjects will also receive new rights known as the ‘right to be forgotten’, permitting individuals to request their personal data is erased where there are no legitimate reasons to retain it.
Data Portability: it is also envisaged data subjects will have a new right to data portability, allowing them to request a copy of their electronic data from data controllers and giving them the ability to move this personal data seamlessly between online providers. This is aimed at personal data held in the cloud (eg photos in the cloud environment) but, in practice, may prove burdensome and costly for business.
Appointment of data protection officers: it is envisaged all businesses, as well as public authorities (both controllers and processors), with 250 or more employees (although a higher threshold of 500 employees is under consideration) must appoint data protection officers for terms of at least two years to safeguard compliance. In the case of a group of companies, it is sufficient to appoint a single officer for the group.
Data breach notification: currently there is no strict requirement to report most data protection breaches to the Information Commissioner’s Office. However, the new regime envisages mandatory breach notification requirements. Data controllers must advise the regulator “without delay” and within 72 hours (as currently proposed) of becoming aware of a breach. In turn, processors must inform their controller when they become aware of any breach, without undue delay.
Consent: one of the main changes is consent to the processing of personal data must be expressly given, which is different to the current practice in the UK of relying for many activities on implied consent or a legitimate interests exception.
Increased fines: a new range of penalties for breaching the Regulation will be introduced. This could result in fines of up to 2% of annual turnover, compared with a maximum fine of £500,000 under the current regime.
Timeline: what should retail businesses being doing to ensure they are ready for the new regulation?
Now – undertake a review of current use of personal data, consents, policies and procedures and use of processors.
Prepare – retail businesses should ensure readiness for the new Regulation as the likely envisaged date for it to apply is 2014, with businesses being given until 2016 to comply.
Implement – updated consents, put in places revised contracts with processors, undertake a risk assessment, and draft and implement policies and compliance procedures – including dealing with breach notifications and budget for the appointment of a data protection officer where relevant.
In summary, the Regulation is still in draft and lobbying is ongoing at an EU level, meaning there is still time for retailers to make their views known or have a say on how the Regulation will appear in final form. Suffice it to say, the UK is likely to see a greater change on the impact to data protection than some of its European counterparts.