Get to Grips with GDPR
With the implementation date just over a year away, there is still a lot of conjecture surrounding the impending General Data Protection Regulation (GDPR), particularly around its appropriateness and applicability once the UK leaves the EU. One thing that is clear, however, is that now is the time for any firm handling personal data to be planning ahead, as we will be helping our clients to do at our forthcoming GDPR seminar on 26th April, when we will be discussing the practical steps that any organisation should be implementing.
It is important to remember that, whatever happens post-Brexit, firms will still need to be compliant with the new GDPR rules in the time between implementation and the UK leaving the EU. Even after leaving the EU, it is improbable that the UK will substantively change the rules as they are set out in the new GDPR. By now we have all most likely come across numerous headlines concentrating on the increasing financial sanctions that the GDPR will entail for non-compliance but within the remainder of this piece I would like to touch on a handful of other areas that will pose key challenges for organisations in the months and, indeed, years ahead.
The Accountability Principle
While the concept of ‘accountability’ has long been a central tenet of existing data protection requirements, it will now be explicitly enshrined under the GDPR as a principle in its own right. Under the new rules, organisations will be obligated to take a proactive, comprehensive and ultimately accountable attitude towards compliance. This goes hand in hand with the new concepts of ‘privacy by design’ and ‘privacy by default’, which will oblige those processing personal data to ensure data privacy is conserved at the initial design stages of any new system, product or process, as well as carrying this forward throughout the lifecycle of that processing.
The accountability measures that will ultimately be appropriate to address these privacy requirements will very much depend on the purpose, nature and scope of the processing in question, in addition to the severity of any detriment on the individual’s rights and freedoms. The specific accountability measures mandated under the GDPR are also fairly wide ranging. There are heightened requirements for information to be provided to data subjects at the point of data is collected, including within privacy policies and notices. Additionally, though it is now no longer necessary to register with a supervisory authority under the GDPR, those organisations that employ more than 250 people will generally have to retain thorough internal records of data processing activities so as these can be made available to supervisory authorities on request.
Furthermore, our suppliers will for the first time be held directly accountable for the processing they do on our behalf and must make all records required to demonstrate compliance available to controllers in order to facilitate audit and inspection. Finally, depending on the volume and nature of processing being carried out, organisations may be obliged to appoint a Data Protection Officer.
Data Controller and Data Processor
As I have just mentioned, for the first time data processors will be directly compelled to adhere to certain data protection requirements which previously only applied to data controllers and, indeed, in many regards the level of burden imposed on processors will equate to that on controllers. As is well established, under the current EU Data Protection Directive it is solely the controller that is held liable for data protection compliance, not the processor operating on its behalf. Though controllers invariably seek to defer responsibilities to the processor by way of a contract and data processing agreement, controllers remain legally responsible for breaches caused by the actions of their chosen suppliers while the ICO, along with all other EU data regulators, have no power to enforce against processors.
In stark contrast, the GDPR will impose direct and explicit statutory obligations on data processors that will be subject to direct enforcement by the regulator, significant fines for non-compliance (up to the same maximum 4% of global turnover that applies to controllers) and compensation claims by data subjects for any damage caused by processors in breaching the GDPR. Processors may now only process personal data on behalf of a controller where a written contract is in place that involves several mandatory terms on the data processor and may only do so in accordance with the specific instructions of the controller, while sub-processing can only be subsequently carried out with the prior written consent of the controller.
As previously mentioned, processors must keep records of their data processing activities and make these available to the supervisory authority on request and, continuing this theme, must generally co-operate with the data protection regulator. As with controllers, processors must take appropriate organisational and technical measures to protect personal data and will now be obliged to inform controllers of any instances where data breaches have occurred. Even if your organisation is not a data controller in its own right, under certain circumstances you must still install a data protection officer to oversee data protection compliance.
Data Protection Officers
Data protection officers are already commonplace within many organisations but it will now be mandatory for certain controllers and processors to formally appoint one. Though the ICO has long since encouraged it as good practice, there will now be no choice if, among other things, you are a public body, your core activities require regular and systematic monitoring of data subjects on a large scale, or your core activities involve large scale processing of sensitive data. Interestingly, the GDPR leaves some wiggle room for member states to introduce other circumstances under which the appointment of a data protection officer is required, so we will have to wait and see whether that materialises in the UK.
It should be noted that there is also some flexibility built in to the regulations here in that the officer may be an employee or a contractor engaged under a service contract and they do not need to be legally qualified but must have expert knowledge of data protection law. It is also permissible for them to cover a group, so long as each entity has suitable access to the officer.
What is less negotiable is the set of responsibilities that the data protection officer must undertake as a minimum, which include:
informing and advising colleagues of their data protection obligations
monitoring compliance with the GDPR and the organisation’s data protection policies
providing advice regarding Privacy Impact Assessments
co-operating with the relevant supervisory authority
acting as a contact point for the supervisory authority on data processing issues
For organisations themselves, it is not as simple as recruiting a data protection officer and forgetting about it, as they are required under the law to provide their chosen individual with the resources required to successfully fulfil their duties and to maintain their expert knowledge. From a governance perspective the GDPR also requires organisations to safeguard a sufficient level of autonomy by avoiding giving instructions to the officer as to how to carry out their responsibilities, protecting them from dismissal or penalty in relation properly fulfilling these and by establishing a direct board-level reporting line.
The additional requirements within the GDPR around consent are something that we have been approached by our clients perhaps more than other area of the new regulation. Though it is certainly true that the consent of the data subject was a ground for legal processing under the Data Protection Act and that it remains so under the replacement legislation, Article 6 of the GDPR is more stringent on this subject and therefore it is crucial that organisations revisit exactly how they obtain consent from data subjects.
Under the new regulation, consent must freely given rather than given due to an imbalance between the subject and the controller, or due to the controller making processing a condition for the performance of a service or contract. If the data subject does not have genuine free choice, or if they are at a disadvantage by refusing or withdrawing consent, then consent will be presumed not to have been freely given.
Additionally, in order for consent to have been given it must also be specific and informed – the data subject must be given sufficient information regarding the controller and the reason(s) for processing, while blanket consent cannot be deemed to have been given where different types of processing take place. Continuing this thread, consent must be as easy to withdraw as it is to give and the right to withdraw is available at any time – a right that subjects must be made aware of prior to giving consent and on a ‘continuing’ basis.
Another key facet of the new consent rules is that it must now be given by an affirmative action – this means that the days of obtaining consent through the likes of pre-ticked boxes are over, though the data subject ticking a box to confirm consent will remain valid (though note that this is not permissible for sensitive personal data, which still requires explicit consent).
Lastly, I would like to touch on the new breach notification regime that will apply under the GDPR, as this is certainly one of the biggest departures from current UK data protection legislation. Currently specific notification requirements are thin on the ground and only apply in certain sectors and circumstances. From next year, however, organisations will have a legal duty to inform the regulator, and potentially the data subjects themselves, within 72 hours when breaches occur that are likely to pose a risk to the rights and freedom of the affected individuals. In the instance of a breach by a processor, the controller must likewise be notified without undue delay.
These notifications will need to describe the breach, including numbers of data records and subjects affected, state the likely consequences of the breach and the measures proposed or taken to address the breach and mitigate its impact, and identify the company’s data protection officer for subsequent contact and queries.
If you are yet to get to grips with the GDPR and are currently behind the curve, or even if you are just looking for some reassurance regarding your approach to the changes, why not join us at our GDPR seminar on 26 April 2017 at St George’s Centre, Leeds, LS1 3DL. We will be providing a comprehensive review of the new legislation, the changes this entails and sharing what good looks like in terms of the road map to compliance.
£199pp lunch included
9am to 3.30pm
Contact us to register interest: