On Monday I received the following email from Northern Ballet Academy:
"Due to changes in the Data Protection law coming into force from May 2018 we now need your approval in advance to contact you with information regarding your classes and Academy opportunities. If this form is not completed and returned by 30th April we will no longer be able to contact you by email on the information listed on the form."This is just one of many similar requests that I have received in the last few weeks from online and other service providers with whom I have dealt for many, many years.
The change in the law to which the Academy refers is Regulation (EU) 2016/279 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC which is better known as the General Data Protection Regulation ("GDPR"). It comes into force throughout the 28 member states of the European Union including the UK on 25 May 2018. That Regulation repeals a 1995 Directive that required Parliament to pass the Data Protection Act 1998. Consequently, it will replace that Act from that date.
Changes in the Law
There has been a lot of hype about the GDPR over the last few years which has been used to sell a lot of new hardware, software and training courses. The new law will make a number of changes to our law. It will affect everyone who processes personal data for business purposes whether by computer or otherwise. As that is likely to include most companies, theatres, ballet schools and even freelance teachers, it will affect many readers of this blog. However, those changes are evolutionary and not revolutionary. They are perfectly manageable with a bit of common sense. They are far less difficult to my mind than say a pirouette if, like me, you are overweight, not well-coordinated and came to ballet very late in life.
What is Data Protection and why do we need it?
Data protection is the generic term for the laws that protect personal data (that is to say information that identifies living human beings) from misuse. It is in our interests that businesses, doctors and nurses, local authorities, places of entertainment, schools and others process personal data as it enables us to enjoy goods and services that would not otherwise be provided but personal data can be misused as recent allegations over the manipulation of Facebook users' data show. Those who wish to use personal data for legitimate purposes such as communicating with audiences, recording students' progress and so on are allowed to do so if, but only if, they abide by certain data protection principles.
What are the Data Protection Principles?
These are set out in art 5 (1) of the GDPR:
"Personal data shall be:There is nothing new about those principles. They have subsisted as part of out law in one form or another since 1984. The only difference is that those who decide the data to be processed and how they are to be processed ("data controllers") have to demonstrate their compliance with those principles.
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; ..... (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; ...... (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."
What happens if I do not comply?
The GDPR will be enforced in the UK by an official known as "the Information Commissioner". She already enforces the Data Protection Act 1998, the Freedom of Information Act 2000 and other legislation. She has an office in Wilmslow near Manchester and branches in Belfast, Cardiff and Edinburgh. She will have extensive powers to monitor compliance the Regulation and she can impose fines or other sanctions for non-compliance. Very serious breaches of the Regulation are offences which may be prosecuted in the Crown or magistrates' courts. Also, anyone who suffers loss or damage as a result of an infringement of the GDPR may sue the person responsible for injunctions, damages and other remedies in the civil courts.
How do I comply with the GDPR?
The first thing to note is that the Data Protection Act 1998 already covers most of these obligations and has done for the last 20 years. The Act requires data controllers to notify the Information Commissioner of the personal data that they hold and how they intend to use them. If you hold personal data for business purposes you will almost certainly need to notify those details to the Commissioner as you risk administrative sanctions or criminal prosecution if you do not do so. You can find out whether you need to notify and how to do so on the Register (notify) under the Data Protection Act page of the Information Commissioner's website. Unlike the Act the GDPR does not require data controllers to notify their use of personal data to the Commissioner. However, s.108 (1) of the Digital Economy Act 2017 does and the government has published regulations to that effect which will come into force on 25 May 2018 (see Jane Lambert Information Commissioner's Charges after GDPR 27 March 2018 NIPC Data Protection).
The next thing you should so is to find out as much information as you can about the GDPR. You will find a presentation on GDPR and some articles that I have written in Data Protection - GDPR Resources 24 May 2018 NIPC Law. There is a lot of other information in my Data Protection Blog and even more on the Information Commissioner's website. I particularly recommend her leaflet Getting ready for the new UK data protection law Eight practical steps for micro business owners and sole traders which can be downloaded from her website.
What about Brexit?
Some readers will have noted that the GDPR is an EU regulation which will cease to apply to us once we leave the EU. While that is true we shall continue to enforce the GDPR during any transition or implementation period that will follow our departure from the EU. Also, the Commission has made it clear in its negotiation documents that it will expect us to protect personal data under any free trade or other agreement that will govern our long term relationship with the EU after the expiry of that period. A Data Protection Bill that contains many of the provisions of the GDPR is making its way through Parliament.
Anyone wishing to discuss this article or data protection generally should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.