Data Protection Law changes are coming
Helplines, charities and other organisations will need to be ready for 2018 when Data Protection Law changes come into effect.
The General Data Protection Regulation will be become law in 2018 across 28 EU member states and the UK regulator has called for organisations to begin their preparations for these reforms.
People call, or communicate with helplines using text, webchat or other channels. There may be a log of the contact, or call recordings to enable the helpline to provide follow up support. Occasionally, information regarding a caller may need to be shared with statutory services. Helplines also have to find ways to measure their impact, and will be recording data to do this.
Organisations that use personal data: business, public authority, charity, school and hospital, will be impacted by the changes. In the past people have often had concerns about how their data is being used and shared without their knowledge.
Changing the balance to where individual rights are the focus of privacy and where compliance can operate in a digital age will lead to a number of complex areas of impact. These will include:
- New rules regarding the consent to use personal data.
- New requirements for Privacy by Design, where privacy considerations are built to align protections for personal data and privacy into all business operations early.
- New requirements to carry out Privacy Impact Assessments where the impact of how an organisation is planning to use personal data. This is so that organisations understand the risks that can flow from their use of data.
- New obligations for transparency, including a Breach Disclosure requirement for the reporting of security and confidentiality breaches. If an organisation loses personal data, they will need to report it, most likely to the regulator, they may also be required to tell the people who could be affected by the data loss.
The proposed new rules provide people with stronger rights over. Individuals will be able to demand the Right to Be Forgotten, so that personal data is deleted and destroyed.
New rules on Data Portability could allow people to move data from one organisation to another and we will be able to demand greater access to our data. Most significantly people will be able to sue organisations for compensation, if they are distressed by a breach of the law and will be able to complain to regulators if they think that rules have not been followed.
Regulators will also be able to impose substancial financial penalties for non-compliance, which in serious cases may run into many millions of Pounds or Euros. The maximum fine is £20 million or 4% of global turnover, whichever is higher.
So, there’s lots to think about in relation to how helplines can prepare for a new regulatory framework. Final political sign-off on the new rules is expected in the summer. This will be followed by a two year transition period before the regulation becomes law across the EU, including replacing the EU Directive on which the UK’s Data Protection Act 1998 is originally based on.
Stay up-to-date with legislation by attending our Data Protection masterclass