GDPR Update

The GDPR – MAY 2018 APPROACHING FAST

The GDPR – General Data Protection Regulation is a new lengthy EU Regulation harmonising and strengthening data protection within the EU that comes into effect on 25 May 2018.  The GDPR applies to all countries that process or hold the personal data of EU citizens, whether that country is part of the EU or not.  The Government has already confirmed that the GDPR will form part of UK law following the UK’s withdrawal from the EU.  If you have not already started planning then you need to do so now.

It is important that businesses take steps to consider their obligations under the GDPR, not least because the fines for non-compliance can reach a maximum of 4% of your organisation’s global annual turnover, or up to €20m, whichever is the greater amount.

The Office of the Information Commissioner has made a number of recommendations for businesses to follow.  This note summarises those recommendations.

Awareness

Your senior management team need to be aware of the GDPR and consider the compliance and governance issues that arise.

Communicating Privacy Information

Under the Data Protection Act, when you collect personal data, you have to inform individuals of certain information, for example, your identity and how you intend to use their personal information.  Under the GDPR, you need to explain your lawful basis for processing the data, the data retention periods and that individuals have a right to complain to the Office of the Information Commissioner (“ICO”), if they have a concern with how you handle that data.

Organisations will need to review their procedures to ensure they cover all the rights individuals have.  Individuals enjoy the same rights under the GDPR as those which they enjoy under the Data Protection Act, but also have additional rights to object and not to be subject to automated decision making.

Individual Rights

Many of the rights under the Data Protection Act continue to apply.  Rights under the GDPR include:-

• the right to be informed;
• the right of access;
• the right to rectification;
• the right to erasure;
• the right to restrict processing;
• the right to data portability;
• the right to object
• the right not to be subject to automated decision making including profiling.

Many of these rights are similar to those under the Data Protection Act albeit enhanced.  The new right of data portability applies:-

• in relation to data provided by an individual to you;
• when the data is processed based on the individuals’ consent or is necessary for the performance of a contract;
• where processing is by automated means.

Potentially, you now have to provide the data you hold to the individual in a machine readable form.  You need to consider whether you can do this.

Identify the Information You Hold

Under the GDPR, you have to record your processing activities and understand what data you hold.  Your obligations extend to informing other organisations about any inaccurate personal data that you have provided to them.  You will need to know what personal data you hold, where it came from and who you share it with.

Subject Access Requests

Organisations will need to update their procedures.  Under the new rules:-

1. in most cases, you will not be able to charge for complying with a request;
2. there is a shorter timescale to comply of a month, rather than the current 40 days;
3. you can refuse or charge for requests that unfounded or unreasonable;
4. if you refuse a request, you must tell the individual why and that they have the right to complain to the supervision authority and to a judicial remedy. This must be done without undue delay and, at the latest, within one month.

Lawful Basis for Processing Personal Data

You will now need to consider carefully your lawful basis for processing data.  Under the GDPR, individuals’ rights are modified depending on your lawful basis for processing their personal data.  You need to be able to explain their lawful basis for processing personal data in your privacy notices and when answering subject access requests.

Consent

Organisations will need to review how they both seek, record and obtain consent for the processing of data.  The guiding principle is that consent must be freely given, specific, informed and unambiguous.  Consent must be based on a positive opt in, and cannot be inferred from silence, failing to tick a box or inactivity.  Consent also needs to be separate from other terms and conditions and there will need to be simple ways for individuals to withdraw consent.  Although you are not required to refresh all existing consents that have been obtained under the current data protection principles, if you rely on an individuals’ consent to process their data, you will need to make sure that such consents are GDPR compliant.

Children

Special protection is being brought in for children’s personal data, particularly in the context of commercial internet services, for example, social networking.  If you offer online services to children and rely on consent to collect information about them, you are likely to need a parent or guardian’s consent in order to process that data lawfully.

Data Breaches

You will need to have procedures in place to detect, report and investigate a personal data breach.  The GDPR places a positive obligation on all organisations to report certain types of data breach to the ICO and, in some cases, to individuals.  You are required to notify the ICO where it is likely to result in a risk to individuals, for example, the data loss could result in discrimination, damage to reputation, financial loss and/or a loss of confidentiality.  Failure to report a breach could result in a fine, as well as a fine for the breach itself.  The ICO are already indicating that any failure to report will be viewed seriously.

Data Protection by Design and Data Protection Impact Assessment

The GDPR makes privacy a key element of the design of technology and imposes a requirement upon you to undertake data protection impact assessments in certain circumstances, for example:-

• where you deploy new technology;
• where you have a profiling process likely to significantly affect individuals; or
• the large scale processing of special categories of data.

If your DPIA suggests that your data processing is high risk, and you cannot address those risks, you will be required to consult the ICO as to whether the processing operation complies with the GDPR.

Data Protection Officer

Every organisation should designate someone to take responsibility for data protection compliance.  You will need to consider whether you should formally designate a Data Protection Officer (DPO).  You must have a DPO if:-

• you are a public authority;
• you are an organisation that carries out the regular and systematic monitoring of individuals on a large scale;
• you are an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.

International Organisations

If you work on a pan European basis, you will need to decide in which country is your lead Data Protection Supervisory Authority.  This normally would be the country in which you have your main establishment, where your central management and administration takes place, or where decisions about the purposes and means of processing are taken and implemented.