Article written by Irving David, Intellectual Property Partner at DWFM Beckman Solicitors
General Data Protection Regulation
The new General Data Protection Regulation came into force on 25 May 2018.
In the second of his two part review, Irving David looks at the key issues addressed by the Regulation. The First Instalment covering points 1 through 6 of Irving’s review were published last week and can be found at http://dwfmbeckman.com/general-data-protection-regulation/
- Privacy Management
Organisations must accept that privacy is of the utmost importance.
The GDPR requires a “Risk Based Approach” where appropriate organisational controls must be developed according to the degree of risk associated with the particular data processing activities.
Where appropriate, privacy impact assessments must be carried out, the focus being on protecting data subject rights.
Consent is one of the bases for legal processing (along with legitimate interests, necessary execution of a contract and others).
For marketing companies especially there has been considerable discussion as to what type of consent that might be required under the GDPR.
According to the GDPR consent means:
“any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;”
Consent must be:
“collected for specified, explicit and legitimate purposes”
This means that it needs to be apparent to the data subject for what purpose their data will be used at the time the data is collected.
Consent must also be “demonstrable” ie organisations need to be able to demonstrate precisely when and how consent was gained.
Consent must be freely given – and withdrawing consent should always be possible – and should be as easy as giving it.
- Information Provided at Data Collection
The following information must be made available to a Data Subject when data is collected:
- the identity and the contact details of the data controller and data protection officer
- the purposes of the processing for which the personal data are intended
- the legal basis of the processing
- the legitimate interests pursued by the controller or by a third party;
- the recipients or categories of recipients of the personal data;
- where applicable, that the controller intends to transfer personal data internationally
- the period of time for which the personal data will be stored, or if this is not possible,
- the criteria used to determine this period;
- the existence of the right to access, rectify or erase the personal data;
- the right to data portability;
- the right to withdraw consent at any time;
- and the right to lodge a complaint to a supervisory authority
Additionally, where data is not obtained directly from a data subject – for example by using a third party mailing list – the following apply:
- from which source the personal data originates;
- the existence of any profiling and meaningful information about the logic involved; and
- the significance and the envisaged consequences of such processing for the data subject.
There are some exceptions – notably where the effort would be disproportionate (although this is unlikely to be a good justification in day to day circumstances) and, importantly, where the information has already been provided to the data subject.
The GDPR defines profiling as:
“Any automated processing of personal data to determine certain criteria about a person. In particular to analyse or predict aspects concerning that natural person’ s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
Individuals have the right not to be subject to the results of automated decision making, including profiling, which produces legal effects on him/her or otherwise significantly affects them. So, individuals can opt out of profiling.
Automated decision making is lawful where individuals have explicitly consented to it, or if profiling is necessary under a contract between an organisation and an individual, or if profiling is authorised by the EU or Member State Law.
- Legitimate Interests & Direct Marketing
The regulation specifically recognises that the processing of data for “direct marketing purposes” can be considered as a legitimate interest.
Legitimate interest is one of the grounds, like consent, that an organisation can use in order to process data and satisfy the principle that data has been fairly and lawfully processed.
The GDPR says that processing is lawful if: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Curiously, “Direct Marketing” has not been defined – so consideration should be given to the precise nature of the marketing activity proposed to be covered by this ground for processing.
It may, for example, mean that a simple mailing of goods and services to existing customers and prospects is completely legitimate without direct consent – but it certainly does not include “Profiling” for marketing purposes which does require consent.
- Breach & Notification
According to the GDPR, a “personal data breach” is:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
Data controllers must notify the appropriate supervisory authority – in the UK the ICO – of a personal data breach:
“without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.”
If notification is not made within 72 hours, the data controller must provide a “reasoned justification” for the delay.
Notice is not required if:
“the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals,”
Note that when a data processor experiences a personal data breach, it must notify the data controller but otherwise has no other notification or reporting obligation.
Should the data controller determine that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals:
“it must also communicate information regarding the personal data breach to the affected data subjects.”
Under Article 32 of the GDPR, this must be done “without undue delay.”
The GDPR provides exceptions to this additional requirement to notify data subjects in the following circumstances:
- The data controller has: “implemented appropriate technical and organisational protection measures” that “render the data unintelligible to any person who is not authorised to access it, such as encryption”;
- The data controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialise;
- When notification to each data subject would “involve disproportionate effort,” in which case alternative communication measures may be used.
- Data Subject Access Requests (“DSARs”)
The GDPR provides for Individuals to have more information as to how their data is being processed and requires that this information should be available in a clear and understandable way.
Where requests to access data are “manifestly unfounded or excessive”, a company will be able to charge a fee for providing access as was the case previously.
However, where a request is not “manifestly unfounded or excessive” no charge may be made for the requested information.
DSAR’s must be executed “without undue delay and at the latest within one month of receipt of the request.”
- The Right to Data Portability
This part of the GDPR seeks to drive automated transfers of data (using a common format yet to be defined) between services which primarily process customers automatically – so for example these could include utilities, banks, telecoms and ISP’s.
- Data Retention and the Right to be Forgotten
Data controllers must inform data subjects on collection of the period of time that data will be retained.
Should the data subject subsequently wish to have their data removed and the data is no longer required for the reasons for which it was collected then it must be erased.
Note that there is a responsibility for data controllers to take “reasonable steps” to notify data processors and other downstream data recipients of such requests by a data subject.
For further information on this topic please contact Irving David in our IP Department:
t: +44 (0)20 7408 8888