Coventry University researcher Sara Degli-Esposti discusses implications of the new General Data Protection Regulation and highlights another piece of incoming legislation on data protection in an article originally published by Insider Media.

Organisations have been rushing to comply with the General Data Protection Regulation (GDPR) ahead of the new requirements coming into force on Friday 25 May. With good reason too. Under GDPR, data protection supervisory authorities – amongst them the Information Commissioner’s Office (ICO) – can charge non-compliant corporations up to €2m or 4 per cent of worldwide annual revenue, whichever is higher, depending on the type and gravity of infringement.

Sara Degli-Esposti

In October 2016, the ICO issued telecoms company TalkTalk with a £400k fine for a data breach affecting personal data of almost 157,000 customers. Bear in mind that under previous British privacy law (the 1998 Data Protection Act) the monetary penalty determined by the ICO for infringements could not exceed £500k. GDPR therefore introduces the possibility of much heavier fines for data breaches.

But there is a piece of incoming legislation on data protection, which is even more relevant than GDPR for British corporations – the Data Protection Bill. The Bill governs general data covered by the GDPR as well as covering all other general data, law enforcement data and national security data.

The Data Protection Bill will clarify several vague aspects of GDPR, such as the meaning of “public authority” and “public body” as well as transposing into British law the EU Law Enforcement Directive and setting rules for the functioning of the Information Commissioner’s Office.

Under the Bill, the ICO – an independent public body under Department for Digital, Culture, Media & Sport (DCMS) – will produce specific guidelines on fixed penalties. The ICO will also have to issue guidelines on notice procedures and regulatory actions, draft codes of practice, oversee certification schemes, cooperate with other European data protection agencies, organise consensual audits with corporations, investigate data breaches, and periodically report to parliament.

To cope with its increased workload, the ICO has already started a major recruitment drive for new staff.  However, hiring qualified data protection experts is not an easy task these days, as more companies try to appoint people with the right skills to tackle all the legal, technical and organisational complexities associated with GDPR.

The Data Protection Bill is relevant to all corporations, and some of them have been contributing over the past few months to make suggestions on how to improve it. The Media Lawyers Association, for example, submitted written evidence to the House of Commons Public Bill Committee advocating for the inclusion of exemptions necessary in their view to reconcile the right to protection of personal data with rights to freedom of expression and information.

Other individuals and corporations have contributed to the legislative process through written evidence. The British Medical Association has fought to protect medical confidentiality by suggesting removing an exception provision, which would have allowed the issuing of secondary legislation on how confidential health data are shared.

People’s medical or drugs history is considered sensitive data within GDPR, which means that it must be treated with additional care, processed and shared only for well-defined purposes. But because of the potential value of this data for insurance and pharmaceutical companies, it is not uncommon for it to be stolen and traded on the dark web black market.

Because GDPR and the Data Protection Bill represent comprehensive pieces of legislation covering all sectors, they may also cause operational problems to small enterprises and not well-funded public institutions.

The National Pharmacy Association (NPA) has argued against the requirement for small business like pharmacies to appoint a data protection officer, claiming that they “add little benefit as community pharmacies already complete the NHS Information Governance Toolkit and pharmacists are sufficiently bound by professional duty.”

Clearly, there are aspects of the incoming data protection legislation that mean different things for different organisations. But despite its intricacies, GDPR is not something to fear. Most companies, whether public or private, large or small, are already dealing with EU citizen data, and are required to comply with the existing 1995 data protection directive. In other words, the infrastructure to handle GDPR should largely be in place already.

It is likely that you are already taking the necessary steps to prepare for the new data protection legislation and there is a wealth of information out there to help you understand exactly what GDPR means for you so that you are ready for when the new rules kick in.