Data Protection - GDPR Resources
These are the slides for a talk that I gave last week on the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) ("the GDPR").
Why the GDPR is important
The regulation will come into force simultaneously in all 28 member states of the European Union including the United Kingdom on the 25 May 2018. It will repeal the Data Protection Directive (Directive 95/46/EU) which was transposed into English and Welsh as well as Scottish and Northern Irish law by the Data Protection Act 1998. Although the GDPR will eventually cease to be part of our law either when we leave the EU on 29 March 2019 or at the end of any transition or implementation period that may come into effect immediately after our exit, its provisions are likely to be preserved by a new Data Protection Bill which is making its way through Parliament.
My Interest in Data Protection
I have taken a professional interest in data protection ever since 1983 when I was legal adviser to VISA International for Europe, the Middle East and Africa. I attended the first IBA conference on trans-border data flows in Toronto in October 1984 and TBDF was a hot topic at the International Telecommunications Union's legal forum in Geneva in November of that year. I was also commissioned by Butterworths to contribute the first chapter on data protection to both Atkin's Court Forms and the Encyclopedia of Forms and Precedents shortly afterwards.. I have advised businesses on data protection law and represented them in civil proceedings ever since. For several years I offered an arbitration service to resolve disputes between US businesses and data subjects pursuant to the "safe harbor" agreement between the Commission and the US government.
Introduction and Overview
The above presentation is an introduction to and overview of the GDPR. It was given to colleagues because barristers are affected by data protection like everyone else. Most of my talk focused on the guidance prepared by the Information Commissioner's Office for micro-businesses on 12 March 2018 which I strongly recommend (see also Making Data Protection Your Business on the Commissioner's website).
Data Protection Blog
Because there is a lot of discussion about the GDRP (not all of it well informed) I launched the NIPC Data Protection Blog on 11 Aug 2017 (see Welcome to NIPC Data Protection 11 Aug 2017). You can reach it through the menu at the top left hand corner of the home page of this blog or directly by typing http://nipcdp.blogspot.co.uk/ into your browser.
Those who need basic information on data protection may find the following articles helpful:
- An Introduction to the GDPR 2 Dec 2017
- How the GDPR works 3 Dec 2017
- The GDPR Index page, and
- The Data Protection Glossary.
Change Evolutionary and not Revolutionary
The law will change in a number of ways on 25 May 2018 but not nearly as much in practical terms as many people think. For instance, one of the differences between the new law and the current law is that the GDPR will impose an express duty on data controllers to demonstrate that they comply with the data protection principles instead of just complying with them, Probably there was always an implied duty to demonstrate compliance but now it is spelt out.
Frequently asked questions
Two issues which crop up a lot in questions and answers are fines because the maximum financial penalty that the Commissioner can impose will rise from £500,000 to €20 million and data subjects' consents since a data subject's signature on a paper consenting to processing is a good way of showing that your processing activity is lawful.
On fines, I have written GDPR _ Fines on 7 Dec 2017.
Following a talk that I gave to the staff of a small local authority in Kent in December, I wrote GDPR - Lawfulness of Processing and Consent 7 Dec 2017.
I wrote a further article on consent yesterday after the presentation mentioned above (see Consent to Processing of Personal Data 23 March 2018).
Anyone wishing to discuss this article or data protection in general should call me on 020 7404 5252 during office hours or send me a message through my contact form.