The GDPR is coming...

Introduction

What is made in Europe but will apply even after Brexit; in force now but not in effect until May 2018; and likely to create a new branch of the legal profession and a new arm of corporate governance? Answer: the General Data Protection Regulation.

The General Data Protection Regulation (2016/679) (the “GDPR”) is a new European regulation which came into force on 25th May 2016 (Art. 99.1) although it does not come into effect until 25th May 2018 (Art. 99.2). The regulation, which by its nature is directly effective and does not require any national legislation to become law, repeals and replaces the Data Protection Directive (95/46/EC).

What is the GDPR?

In so doing, the GDPR significantly strengthens European law concerning the protection of personal information. It does this by strengthening and transforming the role of the Data Protection Officer (“DPO”) and by significantly enhancing controls on data processing, consent and transfer of any personal data. It does this by mandating the appointment of a DPO in circumstances which were optional under the Directive and, in effect, creating a new statutory role within a company. In order to add teeth to the Tiger, fines for breach can be up to €20,000,000 or 4% of worldwide turnover, whichever is the higher. These are real teeth.

What about Brexit?

The regulation applies to the processing of personal data “of data subjects who are in the [European] Union” (Art. 3.2) or “in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the [European] Union or not.” (Art. 3.1). The term “processing” also encompasses “monitoring” of the behaviour of a data subject within the European Union (Art. 3.2(b)).

There is a third category which applies to “the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law ” (Art. 3.3). This might include, on a case by case basis, overseas territories of European countries such as (and not limited to) Guadaloupe.

The word “citizen” does not appear in the regulations at all. The regulation applies to any processing of personal data of anyone “in the Union”. This includes non-European citizens who are from time to time in the European Union, such as UK nationals who occasionally go there on holiday. It is submitted that even if a UK company post-Brexit does all of its processing and storage in the UK (which for many multi-nationals will be hard to do) it will be caught by the regulations if any of its customers go to Europe for any reason. It will, therefore, not be affected by Brexit. Worse for the British Government, as the UK has indicated that it will make use of all available derogations from the Regulation, the position may change once the UK is no longer in the European Union as derogations are stated to be only available to Member States. The derogations relied upon may, therefore, fall away leaving UK businesses exposed to the full regulation.

The regulation effectively provides for extra-territorial jurisdiction for European Law.

When is it in force?

The GDPR was published in the Journal of the European Union on 27th April 2016 and came into force 20 days afterwards, being 25th May 2016 (Art. 99.1). It becomes applicable on 25th May 2018 (Art. 99(2)). On 25th May 2018 Directive 95/46 EC, the existing Data Protection Directive is repealed (Art. 94(1)).

In effect, there is now just over a year for companies and organisations affected by the Regulation to get their houses in order. This will include identifying their uses of personal data and whether and to what extent they are affected by the Regulation, appointing the necessary officers and obtaining the necessary consents from data subjects.

The DPO

The regulation sets out the key role and responsibilities of the DPO in fairly broad terms (Articles 37-39), as is typical of European legislation. However, the way that this is done has, it is submitted, far-reaching effect: The DPO must report at the highest level of the company (the Board in most UK companies) (Art. 31.3), must be skilled in Data Protection Law and in Information Technology (Art. 37.5 read in conjunction with Art. 39); the DPO cannot be told what to do by anyone in the Company insofar as performing his role as DPO is concerned (Art. 38.3); and the DPO cannot be disciplined for performing his role as DPO (ditto). He therefore becomes at the same time arguably the most powerful person in the Company and the one subject to the least control by the Company. He has a statutory role although he does not have to be an employee. This is a real and significant change.

The DPO might, you might think, be a legal professional. He certainly has to be a professional (Art. 37.5). However, the role of DPO intrinsically raises conflicts with the role of in-house counsel and so has, it is argued, to be a separate person. Second, how many lawyers do you know who are at the same time experts in a particular field and experts or at least competently knowledgeable in information technology. Not many I suspect.

The DPO should be, impliedly from the wording of the regulation, subject to professional accreditation and the highest professional standards in performing his role. The DPO will be neither a solicitor, nor a barrister, nor a legal executive, nor a notary public. He will, it is suggested, fall into a fifth, currently unregulated, branch of the legal profession, one whose yet to be identified regulator will need to consider carefully the DPO’s professional competencies and obligations in areas of information law and information processing.

Conclusion

The GDPR is with us now and will be with us beyond Brexit. The regulations are far-reaching and have real teeth. The role of the DPO is expanded and enhanced and a good deal of work needs to be done by companies which handle personal data to ensure compliance in advance of 25th May 2018. Watch this space…

X