20 Sep 2017
The GDPR – MAY 2018 APPROACHING FAST
The GDPR – General Data Protection Regulation is a new lengthy EU Regulation harmonising and strengthening data protection within the EU that comes into effect on 25 May 2018. The GDPR applies to all countries that process or hold the personal data of EU citizens, whether that country is part of the EU or not. The Government has already confirmed that the GDPR will form part of UK law following the UK’s withdrawal from the EU. If you have not already started planning then you need to do so now.
It is important that businesses take steps to consider their obligations under the GDPR, not least because the fines for non-compliance can reach a maximum of 4% of your organisation’s global annual turnover, or up to €20m, whichever is the greater amount.
The Office of the Information Commissioner has made a number of recommendations for businesses to follow. This note summarises those recommendations.
Your senior management team need to be aware of the GDPR and consider the compliance and governance issues that arise.
Communicating Privacy Information
Under the Data Protection Act, when you collect personal data, you have to inform individuals of certain information, for example, your identity and how you intend to use their personal information. Under the GDPR, you need to explain your lawful basis for processing the data, the data retention periods and that individuals have a right to complain to the Office of the Information Commissioner (“ICO”), if they have a concern with how you handle that data.
Organisations will need to review their procedures to ensure they cover all the rights individuals have. Individuals enjoy the same rights under the GDPR as those which they enjoy under the Data Protection Act, but also have additional rights to object and not to be subject to automated decision making.
Many of the rights under the Data Protection Act continue to apply. Rights under the GDPR include:-
Many of these rights are similar to those under the Data Protection Act albeit enhanced. The new right of data portability applies:-
Potentially, you now have to provide the data you hold to the individual in a machine readable form. You need to consider whether you can do this.
Identify the Information You Hold
Under the GDPR, you have to record your processing activities and understand what data you hold. Your obligations extend to informing other organisations about any inaccurate personal data that you have provided to them. You will need to know what personal data you hold, where it came from and who you share it with.
Subject Access Requests
Organisations will need to update their procedures. Under the new rules:-
Lawful Basis for Processing Personal Data
You will now need to consider carefully your lawful basis for processing data. Under the GDPR, individuals’ rights are modified depending on your lawful basis for processing their personal data. You need to be able to explain their lawful basis for processing personal data in your privacy notices and when answering subject access requests.
Organisations will need to review how they both seek, record and obtain consent for the processing of data. The guiding principle is that consent must be freely given, specific, informed and unambiguous. Consent must be based on a positive opt in, and cannot be inferred from silence, failing to tick a box or inactivity. Consent also needs to be separate from other terms and conditions and there will need to be simple ways for individuals to withdraw consent. Although you are not required to refresh all existing consents that have been obtained under the current data protection principles, if you rely on an individuals’ consent to process their data, you will need to make sure that such consents are GDPR compliant.
Special protection is being brought in for children’s personal data, particularly in the context of commercial internet services, for example, social networking. If you offer online services to children and rely on consent to collect information about them, you are likely to need a parent or guardian’s consent in order to process that data lawfully.
You will need to have procedures in place to detect, report and investigate a personal data breach. The GDPR places a positive obligation on all organisations to report certain types of data breach to the ICO and, in some cases, to individuals. You are required to notify the ICO where it is likely to result in a risk to individuals, for example, the data loss could result in discrimination, damage to reputation, financial loss and/or a loss of confidentiality. Failure to report a breach could result in a fine, as well as a fine for the breach itself. The ICO are already indicating that any failure to report will be viewed seriously.
Data Protection by Design and Data Protection Impact Assessment
The GDPR makes privacy a key element of the design of technology and imposes a requirement upon you to undertake data protection impact assessments in certain circumstances, for example:-
If your DPIA suggests that your data processing is high risk, and you cannot address those risks, you will be required to consult the ICO as to whether the processing operation complies with the GDPR.
Data Protection Officer
Every organisation should designate someone to take responsibility for data protection compliance. You will need to consider whether you should formally designate a Data Protection Officer (DPO). You must have a DPO if:-
If you work on a pan European basis, you will need to decide in which country is your lead Data Protection Supervisory Authority. This normally would be the country in which you have your main establishment, where your central management and administration takes place, or where decisions about the purposes and means of processing are taken and implemented.