19 October 2017
The General Data Protection Regulation (the "GDPR") will have direct effect in the UK from 25 May 2018 and overhauls the UK's current data protection regime under the Data Protection Act 1998 (the "DPA"). The government has also published the Data Protection Bill (the "Bill") which will replace the DPA and is intended to ensure that UK and EU data protection regimes are aligned following Brexit. Until the UK leaves the EU the Bill supplements the application of the GDPR in the UK incorporating agreed derogations and extending the application of the legal framework to other areas of data processing which are not otherwise covered by the GDPR.
Does the GDPR apply to you?
As under the DPA, the GDPR applies to the processing of personal data: (i) by automated means; or (ii) by non-automated means where the data forms part of a filing system. In either case, the GDPR applies regardless of who is carrying out the processing (although processing by a natural person in the course of a purely personal or household activity is excluded from the scope of the GDPR). The GDPR definition of personal data is essentially the same as under the DPA being any information which relates to an identified or identifiable natural person. Sensitive personal data – called special categories of personal data under the GDPR - now excludes information about the commission of offences but includes genetic and biometric data.
What are the key changes?
The GDPR leaves much of the existing DPA regime intact; the definitions, data protection principles, rights of individual data subjects, and conditions for processing are very similar. But the GDPR does make some significant changes.
Transparency and privacy notices: If you want to collect and process someone's data you need to be transparent about it. The GDPR specifies in detail the information that must be provided to data subjects (usually in a privacy notice) regarding the use of their personal data and their rights in relation to it. Any communication with data subjects must be in a concise, transparent, intelligible and easily accessible form.
Lawful Processing: For processing to be lawful under the GDPR, you need to identify, document and communicate to the data subject a legal basis for processing the data. The six lawful bases for processing personal data under the GDPR are similar to the conditions for processing under the DPA and the most commonly used are still likely to be: (1) consent; (2) contractual necessity; and (3) legitimate interests of the data controller or a third party.
Consent: If this lawful basis for processing under the GDPR is relied on, the consent must be "freely given, specific, informed and unambiguous". Consent must be given by some form of affirmative act and cannot be implied by silence or pre-ticked boxes. The consent cannot be relied on if it is a pre-condition to performing a contract or service and the data is not necessary for performance, or if it is obtained when there is an imbalance in the relationship between the parties (such as between an employer and its employees or between a public authority and a member of the public). Consent requests should be kept separate from other terms and conditions and, where processing has multiple purposes, consent must be obtained for each purpose.
Explicit consent must be obtained for processing of special categories of data. Explicit consent is not defined but, according to draft guidance from the Information Commissioner's Office (ICO), it requires an express statement of consent in words and cannot be inferred.
You must also inform data subjects that they have the right to withdraw consent at any time and it must be as easy for the individuals to withdraw their consent as it was for them to provide it. Under the GDPR, parental consent is required to process personal data of children under 16 to whom online services are provided directly, but the age is reduced to 13 under the current version of the Bill. According to the ICO, existing consents need not be refreshed if they comply with the GDPR requirements. But “if existing DPA consents don’t meet the GDPR's high standards or are poorly documented, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing”.
Legitimate Interests: The new regime changes this basis for lawful processing in two respects. First, public authorities may not rely on the legitimate interest basis; they may rely instead on the ground that the processing is necessary for the performance of a task carried out in the public interest. Second, in balancing the rights of data controllers and third parties against the rights of data subjects, particular weight is to be given to the rights of children. In practice, this is likely to require controllers to ensure that any decision to process data relating to children on this basis is carefully documented to show the interests of children were specifically considered.
The recitals to the GDPR set out examples of processing that could be necessary for the legitimate interest of the data controller. These include: processing where there is a client or employee relationship with the controller; preventing fraud; direct marketing; transmission of personal data within a group of undertakings for internal administrative purposes, including processing of client and employee data; ensuring network and information security; and reporting possible criminal acts or threats to public security to a competent authority.
If you are going to rely on this basis for processing you should record your assessment of the balance between the interests of the controller and the rights of data subjects. The question to ask yourself is 'would the data subject reasonably expect their data to be processed on the basis of your (or a third party's) legitimate interest'?
Increased accountability: Data controllers are required to implement technical and organisational measures to ensure, and to be able to demonstrate, that data processing is GDPR-compliant. To do this you will need to have a comprehensive compliance program in place consisting of appropriate policies, procedures and privacy notices, robust security measures, and strong internal recording practices. In doing so, you must consider the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks posed by the processing to individuals' rights.
Data Protection Officer: Controllers and processors must appoint a DPO if they are: (a) public authorities; (b) their core activities require regular and systematic monitoring of data subjects on a large scale; or (c) their core activities require large scale processing of special categories of data or data relating to criminal convictions. The GDPR contains detailed provisions regarding the role of the DPO and the tasks he or she is responsible for. Even where a DPO is not required, it is still advisable to appoint someone with responsibility for ensuring compliance with the GDPR.
Breach notification: The GDPR places a duty on data controllers to report a personal data breach to the ICO, generally within 72 hours. The duty applies unless the breach is unlikely to result in a risk to the rights and freedoms of individuals (such as discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage). Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must also (subject to certain exceptions) notify the affected data subjects without delay. The minimum contents of the notification are specified in the GDPR, and controllers must also keep an internal breach register.
Data Protection Impact Assessments: If you are going to be carrying out 'high risk' data processing, the GDPR requires you to carry out a data protection impact assessment ("DPIA"). High risk data processing includes automated decision-making, profiling, processing special categories of data or data relating to criminal convictions on a large scale, and systematically monitoring a publicly accessible area on a large scale, for example, by CCTV. The contents of a DPIA must include a description of the processing, its purposes, the legitimate interest (if any) pursued, the necessity and proportionality of the processing, the risks to rights of data subjects, and the measures envisaged to address those risks.
Rights of individuals: The GDPR has not dramatically changed the rights that individuals enjoyed under the DPA, but it has enhanced them. For example, the information to be included in a privacy notice has been expanded; and controllers must respond to subject access requests within one month and for no charge (unless the request is manifestly unfounded or excessive). The only entirely new right for individuals introduced by the GDPR is the right to 'data portability'. This allows an individual to request that their data is 'ported' or moved from one data controller to another. You must provide the data in a structured, commonly used and machine readable form. You may need to consider revising your procedures for collecting, recording and storing personal data to enable you to fulfil this request in the appropriate manner.
Enforcement: Failure to comply with the GDPR once it comes into force could mean a fine of up to €20m, or 4 per cent of your total worldwide annual turnover, whichever is higher. However, the ICO is keen to downplay fears of massive fines and has emphasised the fact that issuing fines has always been, and will continue to be, a last resort. Last year, the ICO imposed fines in only 16 of 17,300 concluded cases. Although the ICO's ability to levy fines has been greatly enhanced, we would not expect them to be imposed in cases where a genuine effort has been made to comply with the GDPR and any breach has been promptly reported.
What can you do to prepare for the GDPR?
Raise awareness: the ICO recommends that decision makers and key people in your organisation are aware of the impact the GDPR will have.
Appoint a DPO: Even if you are not required to appoint a DPO you should designate someone within your organisation to take responsibility for data protection compliance.
Conduct a data audit: You should document what personal data your organisation is processing, where it came from, the purposes for which it is processed and who you share it with. As part of your audit, you should review what security measures you have in place and consider using features such as anonymisation, encryption and pseudonymisation. If the processing is high risk, you must conduct a DPIA.
Determine your legal basis for processing: You need to ensure that you are clear about the GDPR grounds for lawful processing relied on by your organisation and document them. If you rely on consent, you should check the adequacy of your existing consents and, where necessary, refresh them.
Review your privacy notices: in addition to identifying yourself and how you intend to use the data you process, your privacy notices must also explain your lawful basis for processing data, who you will be sharing it with, what your policy is for retention of records, and the individual's rights of access, to move data, and to complain to the ICO.
Review your internal policies: Do you have an internal data protection policy? Do your staff members understand their duties when it comes to processing and protecting data? You must ensure that your employees are clear about their obligations through publication of your policies and regular staff training.
Decide how you are going to deal with data breaches: you should have procedures and policies in place to ensure that you detect, report and investigate personal data breaches, including identifying the person responsible. You should establish a register to record incidents and complaints.
Review any third party agreements that you have: If you are sharing data with a third party or if a third party is processing data on your behalf you will need to re-visit those contracts and make sure that they comply with the GDPR requirements.
We will be publishing further articles on specific areas within the GDPR in the coming weeks.