Transparency and consent: why data protection legislation is getting stricter
According to technology giant, IBM, more data has been created in the past two years than ever before, with an estimated 2.5 quintillion bytes shared every day. People are posting to social media, shopping online, and browsing the internet like never before and consequently, sharing their personal information with multiple companies all over the world.
With data growing at an unprecedented rate, protection of this personal information is getting stricter. Trust and integrity are important to individuals who share their details and it is essential that businesses respect this by using data appropriately and transparently. This is why, as of May 2018, the Data Protection Act 1998 will be replaced with the European-wide General Data Protection Regulation (GDPR). This new legislation will overhaul the current legal framework and will see the law get tougher on transparency, the collection of data, and the role of consent.
Although the GDPR is EU legislation, those organisations hoping to hide behind Brexit will need to rethink their strategy – unlike EU directives, the GDPR’s regulations will come into effect immediately, meaning that as of spring 2018, UK businesses will have to abide by the rules. Similarly, another big impact that the GDPR will have on businesses is the number of firms that will have to comply with its new regulations. The legislation applies to any business which offers goods or services to, or monitors the behaviour of, individuals residing in the Union, regardless of its location. Therefore, even those businesses outside of the EU – including a post-Brexit Britain – will have to set up robust processes and policies if they wish to target or monitor consumers living in EU states.
One of the biggest changes that the GDPR will enforce is the role of transparency. Whilst this element had implicit requirements in the Data Protection Act 1998, its significance will be elevated with the new legislation. In order to be transparent, businesses have to be thoroughly open with individuals about how data is collected and used. It is therefore critical that organisations review the ways in which they gather personal information, the legal basis for processing, their policies on data retention, and how they share the data with third parties.
Firms will also have to demonstrate that they are complaint with the new law when it comes to accountability. It will be imperative that businesses update procedures and policies by keeping meticulous records of documents, carrying out Privacy Impact Assessments, and implementing Privacy by Design and Default in all activities. Demonstrating accountability will demand a greater input of time and energy from firms, to make certain that they are minimising any potential risks in breaching the law.
Consent is another aspect that has been changed substantially under the new regime. Consent will need to be explicit, specific, unconditional and capable of being easily withdrawn, so businesses can no longer rely on silence, inactivity, default settings or pre-ticked boxes as the basis for permission. According to the ICO’s draft guidance, organisations will now have to identify any third parties who are going to rely on consent to use personal information, meaning those businesses will no longer be able to rely on the ‘we may pass your data to partners of our choice’ statement. In light of these changes, businesses that rely on consent as the basis of any processing should review the suitability of this approach and see whether there is another lawful basis, such as the use of legitimate business interest, that can be used instead.
Although the GDPR will come into force in over a year’s time, it is crucial that businesses do not dwell and start acting now to ensure they are ready for the new changes. This will ensure that they safeguard themselves from not only increased fines but the devastating reputational damage a data breach can have on a firm.