The General Data Protection Regulation and what organisations should do now to prepare for it
It is said that BREXIT will free UK businesses from burdensome EU rules. However, one rule that businesses will still need to comply with is the new General Data Protection Regulation (“GDPR”).
The GDPR will enter into force on 25 May 2018 which is well before BREXIT and will in any case apply to any business, whether based in the EU or not, which intends to sell to customers within the remaining EU post-BREXIT or with operations in the remaining EU Member States.
The GDPR will replace the existing Data Protection Act 1998 (“DPA”) and this note sets out the most important changes under the new regime and what businesses should do now to prepare for it.
One small bonus of the GDPR is that there will be no need in future to register with the Information Commissioner (“ICO”) or equivalent national data protection agencies (“NDPAs”) in other countries.
Changes to the Data Protection Principles
Article 5(1) sets out six Data Protection Principles (“DPPs”). These are in the main familiar from the DPA but there are some changes, the most important of which are:
• The first DPP is altered so that in addition to being processed lawfully and fairly, personal data must in future also be processed in a transparent manner.
• To the fourth DPP is added the requirement that every reasonable effort should be made to rectify or erase any personal data which are not accurate.
Article 5(2) imposes a new accountability obligation so that, not only is the data controller accountable for compliance with the DPPs (which was the case under the DPA), it must in addition now be able to demonstrate compliance, which will require it to create an appropriate paper trail.
Article 6 sets out the conditions under which processing of personal data (other than sensitive personal data) will be lawful. There are some differences to the equivalent provisions in the DPA:
As with the DPA, processing will be legitimate if the data subject has given consent (Article 6(1)(a)). However the GDPR sets out some new obligations in relation to consent (see below).
Like the DPA, the GDPR allows processing of data where this is necessary for compliance with a legal obligation on the data controller (Article 6(1)(c) GDPR). However the recitals make it clear that “legal obligation” means one imposed by EU or Member State law (i.e. not a contract).
Processing will also be lawful if necessary in the vital interests of the data subject or other person (Article 6(1)(d)) – e.g. processing necessary in a humanitarian crisis.
Similarly, processing will be lawful if it is carried out in furtherance of a public interest role entrusted to the data controller (Article 6(1)(e)).
Finally, Article 6(1)(f) allows processing if it is in the legitimate interests of the data controller or a third party which are not over-ridden by the interests of the data subject, particularly where the data subject is a child. However this ground cannot be relied upon by public authorities.
Article 6(4) deals with further processing – i.e. processing of personal data for purposes other than those for which it was initially obtained where the consent of the data subject has not been obtained for such further processing. A list of factors to be taken into account in the lawfulness of such further processing is set out and includes matters such as whether there is any link between the intended further processing and the purpose for which the data were originally collected.
Article 9 sets out the legitimising conditions for the processing of “special categories of personal data”. Special categories of personal data now include genetic and biometric data.
Requirements in relation to consent by data subjects
Article 7 of the GDPR states that where processing is based on consent, it is for the data controller to demonstrate that such consent has been given and sets out conditions for consent:
• Where consent is given in a written document that also concerns other matters, the part of the document dealing with consent must be clearly distinguished from other matters.
• A data subject shall have the right to withdraw his or her consent at any time and such withdrawal shall be as easy to effect and it was to give consent in the first place.
• When assessing whether consent was freely given “utmost account” is to be taken of whether consent was extracted as a condition for entering into a contract where the processing of personal data was not essential for the provision of the service.
In the case of consent given for the provision of information society services to children, consent must be given by a parent or guardian (Member States may set the age at which a person ceases to be a child anywhere between 13 and 16 years).
The new Principle of Transparency
As stated above, the first DPP now includes a requirement that personal data must be processed in a transparent manner. Article 12 sets out some requirements here which are that any communication with a data subject must be in writing and expressed clearly and plainly.
Under Articles 13 and 14, Information Notices shall be provided to data subjects setting out:
• The identity and contact details of the data controller (or its representative);
• The contact details of the Data Protection Officer (“DPO”) – see below;
• The purposes for which the data are intended and the legal basis for processing them;
• Where the data are being processed on the basis that this is necessary for the protection of a legitimate interest of the controller or a third party, what that legitimate interest is;
• Whether the data controller intends to transfer the data to a country outside the EU and the safeguards that it will put in place if so; and
• The data retention period or, if this cannot be stated, the criteria used to determine this.
Information Notices shall be provided to the data subject when the data are obtained (if obtained from the data subject) or within one month where obtained via a third party.
Where data are obtained from a third party, there are various grounds under which this information need not be provided, including that the effort would be disproportionate (Article 14(5)(b)).
Enhanced Data Subject Rights
The existing right of access to personal data (“data subject access”) has been strengthened under the GBER. For example, by Article 15 the data controller may not charge a fee and must respond within one month rather than the current 40 days. This right is however subject to various exceptions such as if the requests are excessive or repetitive.
In addition, data subjects will have the right to compel data controllers to correct inaccurate personal data held about them under Article 16 (“right of rectification”) and the right to have personal data held about them that no longer need to be held deleted (the “right to be forgotten”). The latter is subject to public interest considerations such as freedom of expression and its scope is therefore unclear at present.
Data subjects will also have the right under Article 18 to the restriction (i.e. suspension) of processing under various circumstances, e.g. while the data controller investigates claims as to the accuracy of the data.
In addition, data subjects will have the right under Article 20 to have a copy of the data about them provided in a commonly used electronic format (“right of portability”).
Finally, Article 21 will give data subjects the right to object to automated decision making in relation to them. Data subjects have an absolute right to object to direct marketing and may object to other automated decision making in relation to them, in which case the onus will be on the data controller to show a legitimate interest for processing the data that over-rides those of the data subject.
Data Governance obligations on data controllers and data processors
Under Article 24, the data controller must implement appropriate technical and operational security measures to ensure, and to enable it to demonstrate, compliance with the GDPR – e.g. by signing up to Codes of Conduct developed under Article 40 or certification mechanisms referred to in Article 42.
By Article 25, data controllers must implement “security by design and by default”. This means that their systems must be designed from the outset to provide appropriate levels of resilience and security and to process only such data as is necessary for each legitimate purpose.
If a data controller/processor is not based in the EU, by Article 27 it must designate a representative in the EU to be answerable to data subjects and NDPAs for compliance with the GDPR.
Article 30 imposes upon controllers/processors the obligation to maintain records of processing, which should include matters such as the purposes of the processing, a description of the categories of data subject and personal data held, the categories of recipient outside the EU to whom personal data will be disclosed and the security measures and safeguards in place for such transfers.
However, Article 30(4) provides a derogation from these requirements for organisations employing fewer than 250 staff who do not engage in processing which is high risk (see below), do not process special categories of personal data or whose processing is only occasional.
Article 32 specifies that the controller and the processor must implement security measures appropriate to the level of risk that they face. These may include pseudonymisation and encryption of personal data and suitable disaster recovery arrangements which should be tested regularly. Adherence to approved Codes of Conduct or certification schemes shall be evidence of compliance.
Article 33 sets out an important new obligation on data controllers to notify the competent NDPA of any personal data breach within 72 hours of its occurring unless that breach is unlikely to risk the interests of natural persons. The notification should include details of: the nature of the data breach, the name and address of DPO (see below) or other person from whom more information can be obtained, the likely consequences of the breach, and the measures taken to rectify it. Processors must notify controllers of any data breach as soon as they become aware of it.
Article 34 imposes a similar obligation on data controllers to notify data subjects of data breaches. However there is no obligation to notify data subjects individually where: (a) encryption or pseudonymisation was in place per Article 32, or (b) the data controller has taken action to minimise the risk to data subjects; or (c) notification would involve disproportionate effort (but in that case the data controller must make a public announcement to data subjects). If the NDPA does not agree that Article 34(3) applies, it may order the controller to notify data subjects in the usual way.
Data Protection Impact Assessments (“DPIAs”) and Data Protection Officers
Article 35 sets out an important and potentially onerous obligation on data controllers which is to perform a DPIA in advance where processing is likely to pose a high risk to the rights and freedoms of natural persons. This will particularly be the case where the processing uses new technologies. The DPIA should be performed by the data controller with the advice of the DPO if appointed.
A DPIA should contain: (a) a description of the intended processing and its purpose; (b) an assessment of the necessity and proportionality of the processing; (c) an assessment of the risks of the processing to the rights and freedoms of data subjects; and (d) the intended mitigation measures and their effectiveness in ensuring compliance with the Regulation.
By Article 36(1), if the DPIA indicates a high risk to data subjects in the absence of mitigation measures, the data controller must consult the NDPA prior to the processing. The timetable for such consultation may be up to 14 weeks from when the NDPA has all the information it needs.
Under Article 37(1) public authorities (apart from the Courts) must appoint a DPO as must data controllers/processors which engage in certain types of risky processing. DPOs may be an employee of the data controller/processor or an external contractor.
The tasks of the DPO shall include: (a) advising data controllers/processors and their staff of their responsibilities under the GDPR, (b) monitoring compliance; (c) advising on DPIAs; and (d) to cooperate with the NDPA and act as its contact point.
Transfer of Personal Data outside the EU
The basic position, as set out in Article 44, is that no personal data relating to data subjects within the EU is to be transferred to a third country unless one of the following applies:
1. The Commission has determined under Article 45(3) that the territory to which data are to be transferred offers an adequate level of protection (an “adequacy decision”); or
2. Under Article 46 where the data controller/processor has provided appropriate safeguards, e.g.:
a. Binding corporate rules approved by the NDPA under Article 47;
b. Standard data protection clauses approved by an NDPA or the Commission;
c. Compliance with an approved Code of Conduct or certification scheme;
d. Subject to prior NDPA authorisation, bespoke contractual clauses between the controller/processor and the recipient.
3. The transfer is not repetitive, concerns only a limited number of data subjects and is necessary for some compelling interest of the data processor which is not over-ridden by the rights of the data subjects. Such transfers must be notified to the NDPA and suitable records kept.
Article 49, allows data transfers without an adequacy decision or Article 46 safeguards where:
• The data subject has given explicit consent;
• The transfer is necessary for a contact between the data subject and the data controller or a contract between the data controller and a third party which is in the data subject’s interests;
• The transfer is necessary for important reasons in the public interest;
• The transfer is necessary for a legal claim;
• The transfer is necessary to protect the vital interests of the data subject or a third party;
• The transfer is from a public register.
Powers of NDPAs
Of most relevance to businesses will be the powers of the NDPA set out in Article 58. These build on powers already available to the ICO under the DPA and include the ability to order:
• data controllers/processors to comply with the Regulation within a given timescale;
• the data controller to communicate a data breach to data subjects;
• rectification or erasure of personal data or a restriction of processing;
• a temporary or definitive limitation (including a ban) on processing; or
• the suspension of data transfers to third countries.
Under Article 77, every data subject has the right to lodge a complaint with a NDPA. Where he or she is dissatisfied with the outcome, Article 78 provides a right of appeal to the national Courts. In addition data subjects have the right to bring an action against data controllers/processors for an injunction etc. in the Courts under Article 79 and for damages under Article 82.
The most important new power for NDPAs is that they will now have the power to levy substantial fines for breach of the GDPR.
Article 83(4) specifies a fine of up to the higher of €10 million or 2% of global group turnover for:
• breach by a data controller/processor of any of:
o Article 8 (consent by children);
o Article 11 (processing not requiring identification of the data subject);
o Articles 25 to 39 (data protection by design and default, appointment of EU representative, requirements for data processors, record keeping and cooperation with NDPA, security, data breach notification, carrying out DPIAs, appointment of DPOs); or
o Articles 42 and 43 (certification);
• breach of an obligation imposed on a certification body under Articles 42 or 43; and
• breach of an obligation imposed on a monitoring body under Article 41(4).
Article 83(5) specifies a fine of up to the higher of €20 million or 4% of global group turnover for:
• breach of the DPPs;
• breach of data subject rights;
• breach of the rules relating to third country transfer of personal data;
• any obligations under Member State law adopted pursuant to Chapter IX (see below);
• failure to provide access by the NDPA to data and/or premises under Article 58(1); and
• non-compliance with an order under Article 58(2) to cease processing or transfers.
Derogations for freedom of expression etc. under Chapter IX
Member States shall in their national laws provide for derogations from the GDPR in relation to, e.g. freedom of expression and journalistic purposes, processing in the context of employment, processing for archiving purposes in the public interest, scientific or historical research or statistical purposes and processing by churches and religious associations.
SOME STEPS RECOMMENDED BY THE ICO TO PREPARE FOR THE GDPR
1. Raise Awareness
Make sure that key decision makers in your organisation are aware that the law is changing and identify areas that could cause compliance problems under the GDPR.
2. Document the information you hold
Document what personal data you hold, where it came from and who it is shared with. A data audit will assist here and also in complying with the GDPR’s accountability principle, which requires organisations to show they comply with the DPPs, e.g. by effective policies and procedures.
3. Review current Privacy Notices
Under the GDPR there are some additional things you will have to data subjects when you collect data on them – e.g. the legal basis for processing the data, data retention periods and that individuals have a right to complain to the ICO.
4. Review procedures to comply with data subjects’ rights
Check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion? The right to data portability is new. If you use paper print-outs or an unusual electronic format, changes will need to be made.
5. Subject access requests
In most cases data controllers will not be able to charge for complying with a request and will normally have just a month to comply, rather than the current 40 days. If you want to refuse a request, e.g. because it is manifestly unfounded or excessive, you will need to have procedures in place to demonstrate why the request meets these criteria.
6. Review the legal basis for processing
Under the GDPR some data subject rights will be modified depending on the legal basis for processing their personal data. The most obvious example is that people will have a stronger right to have their data deleted where consent is relied on as the legal basis (consent can be withdrawn).
Note that consent has to be verifiable and that individuals generally have stronger rights where you rely on consent to process their data. Controllers must be able to demonstrate that consent was given. Review your systems for recording consent to ensure you have an effective audit trail.
If your organisation collects information about children you will need a parent or guardian’s consent. Your Privacy Notice must be in language that children will understand.
9. Data breaches
Organisations should make sure they have the right procedures in place to detect, report and investigate personal data breaches. This could involve assessing the types of data they hold and documenting which ones would fall within the notification requirement if there was a breach.
10. Data Privacy Impact Assessments
Organisations should start to assess where it will be necessary to conduct a DPIA and consider who will do it? Who else needs to be involved? Will the process be run centrally or locally? etc.
Note that where a DPIA indicates high risk data processing, you will be required to consult the ICO for an opinion as to whether the processing complies with the GDPR.
11. Data Protection Officers
The GDPR will require some organisations to designate a DPO. This needs to be someone in your organisation, or an external advisor, who will take responsibility for your data protection compliance and who has the knowledge, support and authority to do so.