The GDPR has introduced a huge increase in regulatory risk. Compliance with data protection laws often involves making decisions which are not clear cut. Under GDPR, getting it wrong can attract a severe penalty.
When?
The General Data Protection Regulation (GDPR) came into force in all member states of the EU on 25 May 2018.
Overview
- Many concepts in the GDPR are familiar from current data protection laws, such as the concepts of data controller, data processor, personal data and sensitive personal data. Also, the data protection principles are broadly similar to those under the current law, but with added detail and an important new accountability requirement.
- However, the GDPR contains many additional and more onerous obligations, including detailed record keeping and documentation requirements, and some significant new data protection concepts. In addition, the penalties for getting it wrong are much more severe.
- Cybersecurity is continuously in the headlines. Data security breaches can put individuals at risk and cause them loss; they also expose the company to reputational damage, claims, fines and other potentially serious consequences. People are increasingly aware of their privacy rights, and expect the organisations they entrust with their data to respect it and handle it securely. As the UK Information Commissioner commented, GDPR presents an opportunity:
“to look at how we do things afresh. To consider where we can improve. Getting it right means not only following the letter of the law, but taking people with us, demonstrating to customers that you’re taking your responsibilities with their data seriously”.
The GDPR brings a huge increase in regulatory risk. Compliance with data protection laws often involves making decisions which are not clear cut. Under GDPR, getting it wrong can attract a severe penalty. |
GDPR readiness programme – what you should be doing
- GDPR may require significant changes for many businesses, and some of these changes will require substantial lead time.
- Moving towards GDPR compliance will be a marathon and not a sprint. It’s best to start now:
- Generate awareness within your organisation.
- Data protection is a team sport. Set up a project team with full board engagement.
- Carry out a data inventory and mapping exercise to understand what data you have, what you use it for, where it is held and what third parties are involved in processing.
- Undertake data privacy impact assessment, if needed.
- Review all relevant policies, procedures and contracts.
- Carry out a gap analysis to work out what compliance steps are needed.
- Prioritize and scope out a remediation programme.
- Implement remediation programme.
- Train, monitor, audit, adjust.
- With the potential for high fines, as well as the fact that good data protection practice helps build trust and can act as a competitive differentiator, businesses need to start work now on becoming compliant with the GDPR.
Personal data
- The definition of “personal data” is wider under the GDPR, to explicitly include identifiers such as an ID number, location data, online identifiers as well as physical, physiological, genetic, mental, economic, cultural or social identifiers.
- Online identifiers can be provided by devices, applications, tools and protocols, such as IP addresses, cookie identifiers or other identifiers such as RFID tags.
- Sensitive personal data is now referred to as “special categories of personal data”. The categories are broadly the same, but include genetic and biometric data where processed to uniquely identify an individual.
Six general principles regarding personal data
- The six data protection principles set out the main responsibilities for organisations. The principles are similar to those in existing data protection laws, with added detail and a new accountability requirement.
- Lawfulness, fairness and transparency – data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation – data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimization – data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy – data must be accurate and, where necessary, kept up to date.
- Storage limitation – data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality – data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures.
Accountability
- As well as compliance with the six data protection principles, data controllers must be able to demonstrate compliance with the principles (“accountability”).
- You are expected to put into place comprehensive governance measures. Practically, this is likely to mean:
- Updating, or implementing new policies and procedures such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintaining documentation on all processing activities.
- Adopting the principles of data protection “by design” and “by default” (see below).
- Using data protection impact assessments where appropriate (see below).
- Following approved codes of conduct and/or implementing certification schemes.
Legal basis for processing
- You must look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
- As under the current law, the processing of personal data under the GDPR will only be lawful if certain conditions are met. The most useful ones are:
- Consent of the data subject.
- Where the processing is necessary for the performance of a contract to which the data subject is a party.
- Where the processing is necessary for compliance with a legal obligation to which the controller is subject.
- Where the processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
- There are additional conditions for special categories of data, including explicit consent.
Consent
- The GDPR is much more prescriptive about the requirements for obtaining consent.
- Consent is defined as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes”.
- Consent requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent.
- If you collect information about children – anyone under 16 – then you need a parent or guardian’s consent.
- Individuals have a right to withdraw consent at any time. And it must be as easy to withdraw as to give consent.
- Data controllers cannot rely on consent if there is a “clear imbalance” between the parties (for example, the employer and employee relationship) as consent is presumed not to be freely given.
- Implications:
- You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
- Where processing is based on consent, you must also be able to demonstrate that consent was given. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail.
- Where before the GDPR comes into force you already have obtained consent, you will be required to obtain fresh consent unless the standard of the existing consent meets the new higher requirements under the GDPR.
- Consider whether an alternative ground for processing is available, such as legitimate interests, or contractual performance.
Legitimate interests
- To rely on “legitimate interests” as a legal basis for processing personal data, a data controller must balance its legitimate interests against the interests, fundamental rights and freedoms of the data subject and ensure that the individual’s rights are not overridden.
- When carrying out this exercise data controllers will need to take into account a data subject’s reasonable expectations based on the relationship between the two parties, such as where the data subject is a client or employee of the controller.
- Legitimate interests may include:
- Processing strictly necessary for the purposes of preventing fraud.
- Processing for direct marketing purposes.
- Intra-group transfers.
- To secure network and information security.
Privacy Notices
- The requirements of the GDPR are more detailed and specific than in the current law; you may need to include more information in your privacy notices.
- Much of the information required to be supplied is the same as under current legislation, but some additional information must be provided depending on whether you are collecting the information directly from data subjects or from a third party, including details of:
- the data protection officer;
- the legitimate interests relied on, where applicable;
- transfers to third countries and safeguards;
- data retention periods;
- data subject’s rights (see below);
- the right to withdraw consent at any time, where relevant; and
- the right to lodge a complaint with a supervisory authority.
- While there is a requirement for more detail, privacy notices must also be:
- concise, transparent, intelligible and easily accessible; and
- written in clear and plain language, particularly if addressed to a child.
- Implications: the GDPR presents an opportunity to review how you present information to data subjects and to look at more accessible means, such as:
- use of plain language, without legalese;
- layering (providing brief summary information with links to more detailed information);
- providing privacy information in context “just in time”;
- use of privacy dashboards;
- use of standardised icons (which may at a later date be introduced by the EU), animations, videos etc.
Privacy by design and by default
- The objective is innovation and privacy, not innovation or
- This concept requires that a controller takes into account privacy and data protection when developing, designing, selecting and using applications, services and products that process personal data.
- There is a general obligation to implement appropriate technical and organisational measures, which are designed to implement data protection principles, such as data minimisation, in an effective manner.
- In deciding what is “appropriate” controllers need to consider the state of the art, the cost of implementation as well as the risks posed by the processing.
- Privacy-friendly techniques such as pseudonymisation (see below) are encouraged.
Pseudonymisation
- GDPR introduces a new legal concept of “pseudonymisation” (processing personal data so that it can no longer be attributed to a specific individual, without additional information).
- It requires that the “key” necessary to identify data subjects from the coded data is kept separately, and is subject to technical and organisational security measures to prevent inadvertent re-identification of the coded data.
- Personal data which has undergone pseudonymisation, which could be attributed to a person with additional information, is still considered to be personal data, but subject to fewer restrictions on processing, if the risk of harm is low.
- In contrast, data that has been truly anonymised is not personal data.
- Implications: the GDPR encourages the use of pseudonymisation where appropriate to increase data security.
Data protection impact assessment
- You must carry out a data protection impact assessment (“DPIA”) when:
- using new technologies; and
- the processing is likely to result in a high risk to the rights and freedoms of individuals.
- High risk processing includes:
- systematic and extensive processing, including profiling and where decisions that have legal effects on individuals; and
- large scale processing of special categories of data or personal data relating to criminal convictions or offences.
- Where appropriate, you must seek the views of data subjects or their representatives (e.g. trade unions) on the intended processing.
- Where a DPIA indicates high risk data processing, you must consult the data protection supervisory authority (in the UK, the Information Commissioner’s Office or ICO) to seek its opinion as to whether the processing operation complies with the GDPR. The ICO then has eight weeks (which, for complex matters, can be extended by up to six weeks) to provide written advice to the controller.
- Implications:
- In view of timing considerations, consider as soon as possible whether you are required to carry out a DPIA.
- Even if not legally required, it may be beneficial and good practice to undertake a DPIA to enhance compliance and reduce the risk of a data security breach.
Data Protection Officer
- You must appoint a data protection officer (“DPO”) if you:
- are a public authority;
- carry out large scale regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
- The DPO will be the first point of contact, internally and externally, in respect of data protection matters.
- The DPO must have professional experience and expert knowledge of data protection law, adequate resources to do their job and must report to the board.
- The DPO must be “involved, properly and in a timely manner, in all issues which relate to the protection of personal data”.
- You cannot dismiss a DPO for the performance of their responsibilities. You would need to be able to demonstrate failure or incompetence.
Individual rights
- The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist.
- The main rights are:
- Subject access – the right to know what information is held about you within one month of request without any fee.
- Data portability – the right to transfer personal data between service providers, such as social network platforms and SaaS service providers. The data must be provided in a structured, commonly used and machine-readable format.
- Right to erasure (‘right to be forgotten’) – the right to the erasure of personal data without undue delay – provided that there are no legitimate grounds for retaining it.
- Right to rectification – the right to the rectification of inaccurate personal data without undue delay.
- Right to object – the right to object to processing for purposes of direct marketing, including profiling.
- Right to restriction of processing – the right to require that, with the exception of storage, personal data will only be processed with the data subject’s consent.
- Some of the rights depend on the basis of the processing. For example, the data portability right only arises where the processing is based on the individual’s consent or for the performance of a contract.
- Implications: compliance with these rights may be complex and businesses need to review and implement systems to enable them to be able to meet these new requirements.
Record keeping
- The requirement to register (notify) with the relevant data protection authority (in the UK, the ICO) is abolished.
- In its place, however, data controllers and processors must keep a record of their data processing activities.
- You must record the following information:
- Name and details of your organisation (and where applicable, of your representative and data protection officer).
- Purposes of the processing.
- Description of the categories of individuals and categories of personal data.
- Categories of recipients of personal data.
- Details of transfers to third countries including documentation of the transfer mechanism safeguards in place.
- Retention schedules.
- Description of technical and organisational security measures.
- The records must be made available to the supervisory authority on request.
- The record keeping requirement does not apply to an organisation employing fewer than 250 persons unless the processing is high risk, is not occasional, or includes sensitive data.
Processing in the context of employment
- The GDPR allows EU member states to provide for more specific rules in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, performance of the contract, equality and diversity, health and safety, and termination.
- While the GDPR is pan-European, this is an example of where national laws may add additional detail.
Data processors
- GDPR introduces direct obligations for data processors. And data processors may be liable to pay fines for breaches.
- Where a data controller and a data processor are involved in the same processing, each is jointly and severally liable for any damage. Data controllers or processors can then claim contributions against the others.
- Data processors must notify the data controller of any data breach.
- Implications:
- Negotiating data processing agreements are likely to become more complex.
- Data controllers should identify their data processor agreements so that they can review and amend them as necessary. These changes are likely to require time to implement.
International reach
- GDPR has “long arm jurisdiction” and extends to companies who do not have a physical presence in the EU but offer goods or services in the EU and collect data about EU data subjects. This will, for example, affect many US companies that provide services into the EU. Post-Brexit, it will also apply to UK businesses addressing consumers inside the EU.
- For multi-national businesses that operate in more than one EU member state, the “one-stop shop” will mean that they can deal with a single national data protection authority (“NDPA”) as their “lead authority” (rather than multiple NDPAs).
- The ICO recommends that businesses should start to determine which NDPA will be their lead authority.
- Implications:
- Businesses outside the EU should consider whether they will be subject to the GDPR. If so, they will need to review their level of compliance with the GDPR.
- International entities which are subject to the GDPR will need to appoint a representative based in the EU.
- You may also need to determine which NDPA you come under as the lead authority.
International data transfers
- As at present, transfers of personal data outside the European Economic Area (“EEA”) are prohibited, unless certain conditions are met.
- Transfers to a country which has been deemed as “adequate” by the European Commission will continue to be permitted. However, so far relatively few countries have been found to be adequate. “Whitelisted” countries include Argentina, Canada, New Zealand, Israel, Switzerland.
- International transfers will be permitted:
- where the data subject has given explicit consent, having been informed of the potential risks of the transfer; or
- if necessary for the controller’s compelling legitimate interests. However, while at first blush this looks helpful, it has a very narrow scope as the transfer must not be repetitive, and must concern only a limited number of data subjects.
- Where there is no adequacy decision, personal data cannot be transferred outside the EEA without some compliance being in place. There are various options:
- Model Clauses – for transfers by a data controller to a data controller or processor outside the EEA (but not for transfers by a data processor to a sub-processor).
- Privacy Shield – for transfers to the US (the successor to the invalidated Safe Harbor scheme).
- Binding Corporate Rules – for transfers intragroup – as currently in use but now officially recognised by the GDPR.
- Where the data importer has signed up to an approved code of conduct or certification scheme – this is a new concept and may take some time before it is widely implemented.
- Restrictions on international transfers apply both to controllers and processors and both to the initial transfer, and to any “onward transfer”.
- Implications:
- Review the legal basis of any international transfers you undertake.
- Consider whether the compliance measures you currently have in place meet the requirements of the GDPR.
- Transfers currently authorised (e.g. under Model Clauses, Privacy Shield or existing BCRs) will remain valid until revoked or replaced under the GDPR.
- Review contracts with data processors as regards international transfers.
Data breaches
- A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- While there is currently no legal requirement to report data breaches, allowing many breaches to go under the radar, the GDPR introduces a legal requirement to report a data security breach.
- The GDPR requires businesses to notify the ICO of a data breach without undue delay and where feasible within 72 hours unless the data breach is unlikely to result in a risk to the individuals. If this is not possible it will have to justify the delay to the data protection authority.
- If the breach is likely to result in high risk to the individuals, businesses must also inform data subjects “without undue delay”, unless an exception applies.
- There is a new requirement to keep an internal breach register.
- There is an obligation on data processors to notify the data controller of a data breach.
- Implications:
- Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Develop an Incident Response Plan for managing data breaches.
- Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
Enforcement
- The maximum fines for breach of the GDPR are:
- Up to 2% of annual worldwide turnover or 10 million euros (whichever is the greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers, and data protection by design and default.
- Up to 4% of annual worldwide turnover or 20 million euros (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects rights and international data transfers.
- Data subjects have the right to compensation from the controller or processor where they suffer material or non-material damage (such as distress) due to a breach of the GDPR; thus, compensation claims can be made irrespective of financial loss. The amount of damages being awarded by the Courts is increasing substantially.
- The investigative powers of the data protection regulator include a power to carry out audits, as well as to require information to be provided, and to obtain access to premises.
The GDPR, therefore, brings a huge increase in regulatory risk. Compliance with data protection laws often involves making decisions which are not clear cut. Under GDPR, getting it wrong can attract a severe penalty.