Posted on Jan 13, 2017
General Data Protection Regulation
The EU General Data Protection Regulation (“GDPR”) is set to significantly revamp current data protection laws; due to take effect in all Member States from 25th May 2018. Its implementation will precede the UK’s exit from the EU therefore regardless of Brexit negotiations there will be a period of time where GDPR will apply in the UK and it is likely that following Brexit, UK law will more or less mirror GDPR going forward.
There has been much written already about the effect GDPR will have on UK data practices. However we take a look at what impact GDPR will have from a public authority/body perspective and what such organisations should be doing to get GDPR ready.
‘Public Authorities’ / ‘Public Bodies’
GDPR includes terms and obligations specifically relative to public authorities and public bodies; unhelpfully it does not define their scope. It is likely these terms shall be defined by individual Member States. Under the current regime, the Data Protection Act 1998 (DPA) defines ‘public authority’ as that defined under Freedom of Information (Scotland) Act 2002 (“FOISA”). FOISA’s definition of ‘public authority’ currently includes local councils; universities; colleges; NHS; Scottish Ministers; Parliament; the Police; organisations that provide a public function or are engaged by a public authority to provide a public function (e.g. public transport, water, energy, housing associations etc.); and ‘publicly owned company(ies)’ (i.e. a company wholly owned by the Scottish Ministers or by a Scottish public authority listed in Schedule 1 to FOISA) which would include e.g. wholly owned university spin-outs.
It is unclear at this stage whether the definition of ‘public authority/body’ under GDPR will mirror that used under the DPA. However it seems unlikely that it will depart from it significantly; therefore in our view, organisations that are currently caught by FOISA ought to prepare for GDPR on the assumption they will be caught not only by GDPR (which they most certainly will) but also by the obligations specific to GDPR’s public authorities and public bodies.
Changes introduced by GDPR
Fines for breaching GDPR (max - greater of 4% of turnover or €20M) are significant compared with the DPA (max £500K). PAs should use the implementation period usefully to ensure they are GDPR compliant prior to 25th May 2018. A high-level look at the main obligations placed on Public Authorities/Bodies (“PAs”) under GDPR includes:
Getting GDPR Ready……
Getting ready for GDPR may be a significant exercise for many PAs and it is recommended to start now, if not already. In terms of how this is approached, a suggestion would be to (i) undertake training to educate key individuals of the impact GDPR may have on the organisation; (ii) undertaking a gap analysis to identify areas that need addressed; (iii) plan how to deal with areas of non-compliance handling high-risk issues first; and (iv) implement the changes.
Categories: Intellectual Property