Upcoming changes to EU legislation on data protection are going to give more power back to individuals. So just what is happening and how might you be affected?
Data protection has long been seen as a poor relation in regulatory circles – but that’s about to change. After many years of political negotiations, the EU finally agreed the wording of the General Data Protection Regulation (GDPR) in December 2015.
This radical new legislation will have an impact on every entity that holds or uses European personal data, both inside and outside of Europe, with a profound effect on how such information is obtained, handled and disposed of.
And although it’s not due to come in until May 2018, its force will be felt far sooner than that.
So what does the new law entail?
Everything hinges on the idea that the end user owns their data. The law strengthens the individual’s right to be forgotten, requires greater consent before a business can use customer data for direct marketing, and makes data portability more easy – so if a customer wishes to shift bank accounts, for example, existing standing orders and direct debits can move with them.
The regulation also gives stronger rights to governments to dictate how businesses of all sizes store and share people’s information. Companies will have to disclose issues such as data breaches, should they occur, while public bodies and large private sector organisations may well be required to appoint qualified data protection officers.
But the real attention grabber is the massive fines that will face any company that falls foul of the new standards – up to €20 million, or four per cent of the company’s global turnover, whichever is greater. Ouch.
How is that different to now?
Under existing data regulations, a company based in one jurisdiction can easily transfer data to any other jurisdiction that’s deemed equivalent. But the responsibility for compliance will now lie with the individual company too.
"It’s a sea-change that takes it to a whole new level," says Nick Vermeulen, Partner at PwC in the Channel Islands. "Not only will the jurisdictions need to be aware of what’s happening, but anyone sharing data across borders will have to look at themselves and ensure that they’re complying with everything in the regulations."
There’s also a change in reach. The GDPR extends to any organisation anywhere in the world if it’s offering goods or services in the EU, or if it’s capturing personal data on EU citizens – irrespective of whether it has a presence there.
Finally, there are those fines. Failure to adhere to current data legislation would have led to little more than a slap on the wrist. "A fine of four per cent of global turnover could put many companies out of business," says Vermeulen.
Why did the EU feel the need to bring it in?
The existing data protection laws date back to 1995, when mobile phones were still bricks and Facebook’s Mark Zuckerberg was only 11. These days your bank details will fly around the world faster than you can say AltaVista, so the law is simply catching up with the seismic shifts we’ve seen in the tech.
As Sara Johns, who leads Ogier’s digital, tech and IP services, explains: "With data now flowing across boundaries in the digital economy, it’s about simplifying and harmonising the regulatory environment and giving individuals more control, and more protection, over their personal data, thus keeping pace with the way we do business in 2016."
Yet the digital world still has barriers, and differences in the implementation of laws have made things uncertain and expensive for businesses. The new package harmonises the approach across the continent, creating a Single Digital Marketplace where everyone can sell easily to everyone else.
Finally, it may even be a statement of principle. "There’s also a major dichotomy between what the EU is doing and what happens in the US, where customer data is seen as an overwhelming asset," says Mark Dunster, a Partner specialising in litigation, compliance and financial regulatory matters at Carey Olsen. "Google’s CEO recently warned people that they already have no online privacy – and to ‘get over it’. This legislation may well be the EU’s way of saying: ‘We disagree with you’."
Don’t all businesses handle data these days? Who’s going to be affected?
Any business in any industry dealing with people in the EU – from fund managers and e-gaming companies to Specsavers – will be affected. The good news is that it should enable companies to sell their goods across the whole marketplace. The bad news? They’ll need to get their house in order.
"Businesses will have to do a lot more to keep data in good order, to make sure it’s accurate and that they can remove it if asked to," says Robert Le Corre, Jersey branch Chair of the ICSA and Company Secretary at Moore Stephens. "There’s an awful lot more burden on their part. And you can’t ignore it – if you’re holding data that relates to an EU citizen, you will have to comply."
Companies will need to look at their policy and procedures to ensure that they can deal with breaches and meet the enhanced standards, and establish a framework of accountability. "We will increasingly see data protection on board agendas, if it wasn’t there already,” says Johns. "And it may require additional expenditure in order to comply."
What about individuals? Will we be more protected or will our data be out there?
"Your data is already out there, frankly," says Johns. "But this regulation will give people more control and more access to their data, so it’s a real step forward."
Indeed, the regulations should herald a whole range of new protections. Consent will need to be specific, unambiguous and retractable. The regulation has also enshrined the right to be forgotten, and individuals will be able to request to see their data, demand it’s erased or restrict its use.
Vermeulen posits the example of an insurance company that monitors how each driver drives and uses the data to calculate premiums. "I’ll know they can only hold that data for, say, 30 days while they give me a quote,” he says. “If I reject the quote, they lose the data under my right to be forgotten. But if I agree to continue to have them writing my policy, it allows them to monitor my driving style every day."
How will the Channel Islands be affected, specifically?
The regulation applies to anyone outside the EU wanting to offer goods and services to those within the EU, so many businesses in the Channel Islands will have to ensure their processes are up to scratch before the law takes effect in 2018.
But the islands are also developing their own data protection legislation to keep step with the EU, and many have spotted a potential opportunity here. With the right level of flexibility, that legislation could help the islands attract fintech companies and other businesses looking to deal in data securely.
"The Channel Islands have the largest number of non-UK-based holding companies listed in London, and we think there’s an opportunity for the islands to be a location for anyone looking to list in London in the data space," says Vermeulen.
"We could write the regulation and guidelines that say you need to do x, y, z to comply. This should be attractive to people who want to be sure they’re on the right side of the regulator."
Any final thoughts?
There is, of course, plenty of speculation as to whether the Channel Islands have everything to lose here or everything to gain. The facts are that the law is a necessary move to protect the rights of people in the digital era, and that while it may yet be a couple of years from being introduced, businesses will have to act now to ensure that they’re ready.
"Data protection has come of age,” says Johns. “Ignoring it is not an option."
Will Brexit have an impact?
While the EU’s General Data Protection Regulation (GDPR) is scheduled to come into force on 25 May 2018, uncertainty around how the UK will exit the EU brings into question whether or for how long the regulation will directly apply in the UK.
Data protection law specialist Marc Dautlich of Pinsent Masons says that the UK’s data protection laws will remain unchanged in the short term and that the GDPR will apply directly in the UK unless the UK government takes specific action in the area of data protection prior to the regulation coming into force.
In a statement, a spokesperson for the Information Commissioner’s Office (ICO) in the UK confirmed that the Data Protection Act 1998 ‘remains the law of the land’ at the moment. It said that UK data protection reforms are ‘necessary’ and that the data protection framework in the UK would need to accord to the standards outlined in the GDPR if the UK wishes to ‘trade with the [EU] single market on equal terms’ in the event that the regulation does not ‘directly apply to the UK’.
The ICO spokesperson said: "If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the single market on equal terms, we would have to prove ‘adequacy’ – in other words, UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018."