The new EU General Data Protection Regulation (“GDPR”) will apply in the UK from 25 May 2018 and it will continue to apply even after Brexit.
The changes from the current Data Protection Act (DPA) – in particular new transparency and individuals’ rights provisions – are likely to have significant budgetary, IT and governance implications for your company or for anyone who handles data. Businesses will need to have appropriate systems in place to show their compliance with the new rules.
The GDPR applies to “personal data” and imposes safeguards on its processing. The definition of “personal data” has been expanded to include any information which relates to an identifiable person, eg. pseudonyms and IP addresses (as online identifiers) as well as genetic and biometric data.
The GDPR applies to both “data controllers” and “data processors” who can both be fined for breaches of data protection. It catches controllers and processors outside the EU who target consumers in the EU.
A “data controller” is a person or company who says how and why personal data is processed
A “data processor” is a person or company who acts on the controller’s behalf to process the data.
The GDPR places greater emphasis on the accountability of the data controller. As a result, as data controller, you are responsible for and must document the decisions you take about a processing activity. For the first time, a data processor also has specific obligations.
Rights for individuals
The GDPR sets out the following rights for individuals:
- The right to be informed – This stresses the need for transparency over how personal data is used and reflects your obligation as data controller to provide “fair processing information”.
- The right of access – Individuals are permitted to access their personal data so that they are aware of and can confirm the lawfulness of your data processing.
- The right to rectification – Individuals are entitled to have their data rectified where it is inaccurate or incomplete.
- The right to be forgotten – Individuals are entitled to request their personal data be erased where there is no compelling reason for its being processed. This is not absolute and there are some specific circumstances where you can refuse to deal with a request eg. where data is processed to exercise the right of freedom of expression or information, for purposes in the public interest, or in legal claims.
- The right to restrict processing – Individuals can block or restrict processing eg. where they contest the accuracy of the data, or when they require the data in relation to a legal claim.
- The right to data portability – An individual is entitled to be provided with a copy of their personal data which you hold, in a format which is easily transferable and secure.
- The right to object – individuals can object to direct marketing (including profiling) and processing for statistical purposes. You must inform them of their right to object in your privacy notice and expressly bring it to their attention “at the first point of communication”.
Any information requested must be provided within one month of the request and free of charge (the GDPR removes the £10 subject access fee under the DPA). A “reasonable fee” can be charged where the request is excessive or repeated. The data controller is also responsible for ensuring that any third party to whom he has passed information is kept up to date of any changes in the personal data.
Duties of controllers and processors
The GDPR imposes obligations on data controllers and processors to show compliance. These include:
- Accountability – you should document what personal data you hold; where it came from; and with whom you share it. Data controllers will need to conduct data protection impact assessments and implement data protection / privacy by design – both of which are express legal requirements under the GDPR. Policies and documented procedures are necessary as evidence of compliance with the new rules.
- Data protection officer (DPO) – you may need to designate a Data Protection Officer as part of your accountability requirement, eg. if your data processing activities consist of regular and systematic monitoring of individuals’ data on a large scale.
- Record keeping – Controllers and processors will need to keep written records of processing activities. How is consent sought, obtained and recorded? You must also ensure you have the right internal procedures to detect, report and investigate a data breach.
- Consent – you will need to show that consent was specifically obtained (and recorded) because an individual’s consent cannot be implied from silence or inactivity. Consent must be verifiable and controllers will need to be able to demonstrate that it was given.
- Communicating privacy information – when you collect personal data, you will need to provide more information to the individual about why you are doing so;, how long you will retain the data; and that they have a right to complain to the Information Commissioner’s Office (ICO) if they think there is a problem with your handling of their data.
- Legal basis for processing – you will need to set out your legal basis for processing personal data within your privacy notice as well as in your reply to a subject access request. This should be documented in order to comply with the GDPR’s accountability requirement.
- Special protection for children – This is particularly relevant in the context of social networking. Controllers will need to obtain a parent’s or guardian’s consent in order to process the personal data of someone under 13 (in the UK).
- Subject access requests – you must have procedures to deal with requests within the new timescale (one month rather than 40 days). You also need to provide additional information to people making requests, eg. your data retention periods and the right to have incorrect data amended.
- Data breaches – you must have procedures to detect, report and investigate a personal data breach. The GDPR introduces a duty to notify in all cases if there is a breach (some but not all breaches must be notified to the ICO). A failure to report a breach could result in a further fine in addition to the fine for the breach.
The GDPR has increased the fines which may be imposed for breaches of data protection by data controllers and / or data processors. There are two levels of fines for companies for infringements (the level imposed depends on the infringement): (i) the higher of EUR10 million and 2% of a company’s annual worldwide turnover or (ii) the higher of EUR20 million and 4% of a company’s annual worldwide turnover.
What do you need to do?
- Prepare for data security breaches – review your policies and procedures to ensure you can react to breaches quickly and notify in time.
- Implement privacy by design – ensure privacy is embedded in your processes and handling of data.
- Train your staff – ensure they understand their obligations.
- Demonstrate your protection of data – comply with requirements of accountability and transparency. Establish a culture of monitoring, reviewing and assessing your processing procedures to ensure minimal data processing and retention.
- Review your privacy notices and policies – the information you provide should be clear and in plain language.
- Be aware of an individual’s rights – be prepared for data subjects to exercise their rights. Ensure you have processes to deal with deletion and data portability. If you store personal data, it is for you to prove that your legitimate grounds to retain data override an individual’s interests.
- Check whether consents are needed – review whether your forms of consent are adequate (to ensure consents are specific and informed).
This article was written by Fiona Galloway a Solicitor within the firm’s Dispute Resolution team and who has particular expertise in legal compliance issues.
For more information on this or on any compliance issues please contact Fiona Galloway on 020 7408 8888 or Fiona.Galloway@dwfmbeckman.com