GDPR: The devil’s not in the detail, it’s somewhere else!
The General Data Protection Regulation (GDPR) has, quite rightly, attracted a lot of press about how organisations need to comply with new data protection rules by 25 May 2018. However, GDPR compliance is only half the story for organisations operating in the UK. Whilst the GDPR sets out the basic new data protection that will apply across the EU (Brexit will not have any effect on the applicability of GDPR to the UK), the GDPR allows EU member states discretion as to how it implements certain parts of the GDPR. Moreover, in many areas, GDPR requires supplemental laws and further clarification.
On 13 September 2017, the UK government published its Data Protection Bill which will supplement the GDPR. Whereas the GDPR covers some 90 odd pages of law, the Data Protection Bill covers over 200! Therefore, it is clear that for UK organisations, high level GDPR compliance will not be enough. There is far more legal compliance required which will be detailed in a new Data Protection Act once the bill becomes law.
Indeed, it is fair to say that basic compliance with GDPR could put organisations in breach of the law set out in the bill. We will give a practical example based on a real life matter we are currently advising on:
ABC Limited seeks feedback about its employees’ performance from its customers. That feedback is personal data about each employee.
Under the GDPR, ABC Limited must inform the employee about the source of the feedback. On the other hand, that feedback is the personal opinion of the source and therefore it is the personal data of the source. Under the Data Protection Bill, in most cases, it would be unlawful for ABC Limited to release the personal data of the source without the source’s consent. Hence, strict compliance with GDPR alone, can, as this example demonstrates, put an organisation in breach of UK national data protection law.
Therefore, GDPR compliance is not enough. Over the coming weeks and months, we shall publish a series of articles about steps that organisations should be taking to comply with not only GDPR but all UK data protection legislation. We hope to share with you some of the practical issues we have encountered in helping our clients prepare for and comply with the new law.