Share our passion for law and keep up to date

General Data Protection Regulation ("GDPR")

With less than six months until the new General Data Protection Regulation comes into force, Corporate Partner, Richard Clapham, outlines the issues that you need to consider to ensure your organisation is compliant.

1. Introduction

Data generation has increased exponentially in the past couple of decades without any sign of it slowing down.  90% of all data in the world today has been created in the last two years alone and the current daily output of online data is around 2.5 quintillion bytes (source: IBM Marketing Cloud, 10 Key Marketing Trends for 2017), with a significant part of this data being personal data.

This rapid pace in data generation, however, has not been matched by data protection laws.  In the UK we rely on legislation, the Data Protection Act 1998 (“DPA 1998”), which was drafted whilst the internet was very much in its infancy.  It did not envisage the huge surge of data which quickly ensued, where we can run multiple web searches, mobile apps, social media posts, etc, all in one go.  And that’s just online.  We of course still generate vast quantities of data on employees and clients, for example, with those quantities of data only set to increase as the laws on compliance become more and more stringent.

So, in a bid to address this legislative shortfall, in 2012 the European Commission decided to harmonize data protection laws by creating a single legal framework for personal data across the EU, resulting in the General Data Protection Regulation, or “GDPR” as it is commonly referred to.  The GDPR will be directly applicable in all EU member states, including the UK, from 25 May 2018, and even though we will be leaving the EU shortly thereafter, compliance with the GDPR will remain crucial (see “GDPR and Brexit” below).

The Good News

If you are currently compliant with the DPA 1998 then you are a good way towards being compliant with the GDPR.

However, …

The GDPR brings about some very important additions and therefore the advice coming from the Information Commissioner’s Office (ICO) is to make an immediate start planning compliance, identifying areas of the organisation where GDPR is likely to have the greatest impact and putting in place appropriate systems now before 25 May 2018.

2.         Consequences of non-compliance

One of the most talked-about elements of the GDPR are the new penalties for non-compliance.  In the UK the current maximum fine for a data protection breach is £500,000.  Under the GDPR it will be up to either £18 million or 4% of the total worldwide annual turnover of the organisation’s undertaking, per breach, whichever is higher.  The message on compliance is clear: data protection must be a priority.

3.         Who needs to comply with the GDPR?

Every individual and organisation (in this article together referred to as “organisation”) which collects, holds, processes or comes into contact in any way with personal data must comply with the GDPR.

Strictly speaking, under data protection laws, organisations are split into two categories: data controller and data processor.  Most data protection laws under the DPA 1998 apply to data controllers, giving data processors considerable freedom.  However, the GDPR addresses this imbalance by imposing direct obligations and liability also on data processors.

Furthermore, whilst a distinction is drawn between the two titles in legislation, the reality is that almost all organisations will at some point be both a data controller and a data processor.  Hence, the prudent organisation should seek to comply with data protection laws now, regardless of whether they are a data controller or a data processor, particularly in light of the potential penalties for non-compliance coming into force.

4.         How do I comply with the GDPR?

This is of course the question which every organisation is asking and unfortunately, at the moment, there is no definitive answer.  All that can be done is to make best efforts to have in-place the necessary methods, policies, training etc to demonstrate an intention of compliance, making changes as necessary once further guidance is issued by the Information Commissioner’s Office (“ICO”) and test cases are presented before the courts.  The ICO has published some helpful new resources in December 2017 aimed at helping small and medium sized organisations prepare for the GDPR which include a self-assessment checklist which produces a bespoke report on what the organisation needs to do, a FAQ document, together with a helpful guide.  Links to all of these can be found at the end of this article.

5.         Key areas under the GDPR

Aside from significantly inflated penalties, the GDPR implements a number of changes to what organisations need to consider when handling data, namely consent, accountability, rights of the data subject, transfers of data and security breaches.  Dealing with each in turn:

Consent

One of the common problems data subjects find is that their personal details end up being processed by a marketing company, or sold to a third party, or exploited in some other way without the data subject ever having knowingly given their consent.  The GDPR seeks to address this by including stringent new conditions on data controllers to obtain valid consent from data subjects.  Such new conditions include:

  • Consent can no longer be hidden at the end of a long document in tiny print.  Instead it must be distinguishable from the rest of the document and written in plain language.
  • The data subject must be able to withdraw their consent whenever they choose and the process for doing this must be simple.
  • It is common for data processing to be a condition for the performance of a contract.  Whilst the GDPR does not prohibit this, there is warning that this will be taken into account when determining whether consent was given freely. 
  • As expected the GDPR provides new safeguards for children, in particular in the context of consent given by a child, consent will only be valid if given by that child’s legal guardian.

Much like the DPA 1998, consent will not be needed in certain specific circumstances, such as when the data is processed in connection with the performance of a contract to which the data subject is a party or is processed to comply with a legal obligation.  A new exemption is to be added under the GDPR, namely if the data is processed to pursue the organisation’s legitimate interests.  “Legitimate interests” will include situations where the data subject is a client or employee of the organisation, or processing is needed to prevent fraud.

Accountability

A new key element under the GDPR is that organisations will not only need to comply with the general principles of the GDPR, but they will also need to actively demonstrate compliance.  That is to say organisations must implement appropriate technical and organisational measures to demonstrate that the processing of personal data is done in compliance with the GDPR, with reviews and updates of those measures taking place when necessary.  There is no defined list of what those measures entail, but this would likely include new policies, internal training, record keeping, assessments, reporting and appointing a data protection officer (DPO), all with the aim of complying with the GDPR.

The appointment of a DPO is only mandatory in certain cases, in particular where special categories of data are being processed.  The DPO must report to the highest level of an organisation’s management, and monitor the implementation and application of those measures referred to above, amongst other responsibilities.

Rights of the data subject

Data subjects are to be given considerably greater powers in relation to their personal data, which will almost certainly require all organisations to amend their IT and other data management systems.

Information notices (also known as privacy notices) – There is often confusion on the part of the data subject when handing over personal data, mainly since the information notices are very long-winded and full of legalese.  The GDPR seeks to remove this confusion by prescribing what the notices must contain and how they must appear to the data subject.

Subject access requests – The GDPR will add scope to the already existing right of subject access requests including:

  • Must provide data in electronic form unless requested otherwise.
  • No right to charge a fee unless request is manifestly unfounded or excessive (under the DPA 1998 organisations may charge a £10 fee).
  • Response time is now one month.
  • Any personal data being provided must not be altered or concealed beforehand.

Right to erasure – More commonly referred to as the “right to be forgotten”, this right will oblige organisations to delete all personal data held on a data subject at their request and under certain circumstances, including where there is no longer a legitimate ground for retaining or need for processing that personal data, or the processing is unlawful.

Data portability – Data subjects will have the right to have a copy of their personal data in a commonly used electronic and structured format that allows for further use, including by other data controllers.

Profiling – “Profiling” is any automated processing of personal data which is used to evaluate certain personal aspects of the data subject, for example a data subject’s location or movements and their shopping habits.  The GDPR imposes strict information obligations in relation to this and organisations must comply with a data subject’s rights to object.  Prior consent to profiling is likely to be required.

Special categories of personal data – Certain special categories of personal data will enjoy a higher level of protection, similar to the current treatment in the UK of sensitive personal data.  These categories include racial or ethnic origin, political opinions, religious beliefs and personal health.  As with sensitive personal data, such special categories of personal data will only be allowed to be processed in very limited circumstances, mainly being with the data subject’s explicit consent, the information is already in the public domain or is in relation to legal claims.

Transfers of data

The restrictions on transferring personal data to countries outside the EEA are to continue under the GDPR unless those counties are deemed by the EU to provide an adequate level of protection, similar to that of the GDPR.  There already exist a handful of international transfer solutions, such as the EU – US Privacy Shield.

Hence, even though the UK is leaving the EU, all UK organisations hoping to deal with personal data which will cross to and from the EU must be GDPR compliant.

Security breaches

Under current data protection laws there is very little obligation on organisations to notify either regulators or affected customers of a data protection breach.  The GDPR seeks to address this by introducing three new requirements:

i)     Data processors must have appropriate security in place.  Currently this obligation only applies to data controllers.

ii)    Mandatory reporting of data breaches to the ICO, together with careful documenting of the breach itself.

iii)   Mandatory reporting of data breaches to data subjects in certain situations.

6.         GDPR and Brexit

The EU Withdrawal Bill will ensure that on Brexit all EU law will remain in effect in the UK. Following Brexit, the GDPR, like other EU legislation could be scrapped.  However, with so many organisations already relying on the ability to operate across borders, the ICO have confirmed that “international consistency around data protection laws and rights is crucial both to businesses and organisations, and to consumers and citizens”.  GDPR compliance, amongst other things, may also be a condition of any future UK-EU trade deal as we leave the EU. It therefore seems almost certain that post Brexit the GDPR regime will stay in place.

7.         Conclusion

Very few organisations, if any, do not deal with personal data and with the threat of potentially crippling penalties, all organisations would be well advised to take immediate steps to prepare themselves for the fast approaching regulatory changes.  UK organisations cannot treat Brexit as any form of exemption from GDPR, particularly in light of the ICO’s regular assurances that our data protection laws will remain at the very least as robust as those implemented under the GDPR.  Therefore all organisations must make a start preparing themselves, if they have not done so already, for the arrival of GDPR. 

The ICO’s website provides some very helpful guidance, including that referred to under point 4 above, as follows:

1)         A self-assessment checklist on getting ready for the GDPR, which produces a bespoke report on what SMEs will need to do:

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

2)         A FAQs document answering questions that have been asked most often by SMEs in relation to the GDPR:

https://ico.org.uk/for-organisations/business/guide-to-the-general-data-protection-regulation-gdpr-faqs/

3)         A helpful guide to the GDPR: 

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Whilst the requirements and wealth of information on the GDPR may seem rather overwhelming, particularly to small organisations with very limited resources, the implementation date of 25 May 2018 should not be seen as the deadline to be 100% GDPR compliant.  Rather, organisations must be able to show that they are taking all reasonable steps to be compliant, for example:

  • data mapping (i.e. keeping track of where your data and information flows),
  • appointing a data protection officer,
  • putting in place privacy notices, a data protection policy and technical or security audits,
  • checking that contracts with suppliers and other third parties are GDPR compliant,
  • ensuring you have good data security (e.g. a firewall, secure password protection and encryption of data taken off your premises),
  • implementing system changes to enable data subject rights,
  • making sure you have appropriate consents in place for marketing purposes,
  • carrying out privacy impact assessments,
  • providing internal training; and
  • putting in place efficient breach reporting systems.

What steps are considered reasonable will of course vary from organisation to organisation, and professional advice should be sought if needed.

Ultimately the aim of the GDPR is to create a data protection regime which will stand the tests of time and advances of technology, not create quick-fix solutions.

Information contained in this article does not constitute legal advice and is provided for information purposes only.  You should always seek legal advice relevant to your specific situation.

 

Posted on 11/01/2018 by Pam Bowring

Latest News