Preparing for data reform

x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.

Finally, after 4 years of protracted negotiations, the General Data Protection Regulation (GDPR) has been agreed and adopted by the European Parliament. The GDPR will be enforced by national data protection authorities across the EU in Spring 2018. As the scope of the reforms and the increased obligations placed on businesses processing the personal data of individuals are made clear the most important message is that businesses need to start thinking about compliance now.

This comprehensive overhaul of the data protection framework creates a new regime that attempts to modernise data protection so it is suitable for a digital world. The jury is still out on how successful it is in balancing rights, but changes to be aware of are that it:

■ Creates a single set of rules (but not quite) – one of the goals of the GDPR was to create a common set of rules across the EU. However, with more than 50 exemptions that allow member states discretion as to how they implement the rules, they will still not be fully harmonised in key areas, ranging from the consent age for children and the exemption for research purposes

■ Operates with extraterritorial effect – The rules apply to all organisations that process EU citizens’ personal data, regardless of where they are located. So if you are analysing, storing or monitoring the activities of EU citizens, your business will fall under the regulation

■ Expands the definition of personal data – what constitutes ‘personal data’ is much broader and it specifically covers ‘online identifiers’. This means cookies and advertising IDs will be caught, along with anything that contributes to identifying an individual, or links to such identifying information

■ Places greater liability on both data processors and controllers – wider responsibilities are placed directly on data processors, who now have a much higher risk profile. Previously, there were no direct obligations, but this has changed under the GDPR; data subjects/individuals can take direct action against them or the data controller

■ Requires greater business accountability – some administrative burdens are lifted because there will no longer be a need to notify the UK Information Commissioner’s Office of how you intend to use personal data. In its place, however, are new requirements on maintaining good records and systems, doing privacy impact assessments and entrenching privacy by design and default

■ Enhances individuals rights – data subjects will have a right to be forgotten and to data portability, so you can be required to provide data to individuals in a format that allows them to take it to a competitor. Existing rights have also been strengthened considerably. There will be a right of access to data – including the retention period – free of charge, within 30 days. There is much greater focus on the clarity of information notices and it will be easier for people to object to different types of processing, including profiling and marketing. Businesses have an obligation to promote these rights to individuals

■ Introduces notification of data breaches – there is a new requirement to notify data protection authorities of serious breaches within 72 hours and to let individuals know where the breach may cause harm

■ Mandates appointment of Data Protection Officer (DPO) – businesses involved in regular and systematic monitoring, or processing of sensitive data, on a large scale will have to appoint a DPO

■ Raises standards for cross-border transfers – current mechanisms such as Binding Corporate Rules and model contract clauses will be acceptable under the GDPR. The EU-US Privacy Shields, intended to replace the Safe Harbor arrangements, will need to go through the process for assessing ‘adequacy’ before it can be approved.

■ Increases fines and strengthens the enforcement regime – significantly heavier sanctions are a sea change in the data protection reforms, with fines for non-compliance of up to €20m or 4% of worldwide turnover.

Leave or remain? Data protection compliance still needs to start now

The GDPR introduces a harmonised regime with a common set of rules, applicable in all EU member states from spring 2018. In light of this, one obvious issue to consider is the possible impact of the result of the June 2016 UK referendum on EU membership.

Suffice to say that – regardless of whether the country decides to leave or remain in the EU – it is inevitable that data protection reform will continue to be a critical part of the legal landscape.

If British citizens opt to leave, the UK will still need to maintain commercial and trading relationships. If it decides to join the European Economic Area (EEA), then the UK will be required to adopt EU laws.

If the British electorate votes to leave the EU completely, then similar or ‘equivalent’ data protections will need to be put in place to ensure that the UK regime for data protection is considered ‘adequate’ to allow cross-border transfers of personal data of EU citizens.

Regardless of the precise legal requirements, commercial trade – with its increasing demands on individuals and awareness of the importance of data control – means that data-protection reform will continue to be a core compliance issue for all businesses, including researchers. Guidance from regulators and EU institutions will help flesh out the nuanced detail and implications of these reforms for researchers. In the meantime, however, all organisations need to start a GDPR compliance project.

Dr Michelle Goddard is director of policy and standards at MRS