Article written by Irving David, Intellectual Property Partner at DWFM Beckman Solicitors
General Data Protection Regulation
The new General Data Protection Regulation came into force on 25 May 2018.
In the first of a two part review, Irving David looks at the key issues addressed by the Regulation. The Second Installment will appear in one week’s time.
Running to over 200 pages in length, the new General Data Protection Regulation is designed to give individuals more control over their personal data.
- European Union Harmonisation
The GDPR comprises a single set of data protection rules with which all EU-based organisations must comply.
Organisations based outside the EU are also subject to the GDPR if they collect data concerning an EU resident.
- The meaning of “Personal Data”
“Personal data” is defined in the GDPR as:
“any information relating to a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
The information covered includes any that relates to an individual (“a data subject”) in his or her private or public life.
It also includes online identifiers such as IP addresses and cookies which are now considered to comprise “personal data” if they can be traced back to the “data subject” ie to the individual concerned.
- Controllers and Processors
A data controller is the entity that exercises control over the processing of data and which carries data protection responsibility for it. The data controller determines the purpose for which data is processed.
A data processor, by contrast, is the entity that processes data on behalf of the data controller.
The GDPR draws a distinction between the responsibilities and duties of data controllers and data processors.
- Data controllers may only work with data processors who provide:
“sufficient guarantees to implement appropriate technical and organisational measures”
To meet the GDPR’s provisions and to safeguard data subjects’ rights, such technical and organisational measures” must take into account:
“the costs of implementation”
“the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.”
The GDPR contains guidance as to the type of security actions which might be considered “appropriate to the risk,” including:
- The pseudonymisation and/or encryption of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data.
- The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The arrangements in place between Data Controllers and Data Processors must be in writing and must contain appropriate privacy obligations – ie data controllers must be satisfied as to their data processors’ privacy safeguards.
There are potentially substantial fines for companies that do not follow the GDPR requirements. The Information Commissioner’s Office (“the ICO”) in the UK now has authority to issue penalties up to €20 million or 4% of the entity’s global gross revenue, whichever is the greater.
- Data Protection Officers
All public authorities must appoint Data Protection Officers as must any organisation regardless of the number of its employees where the key activities of the controller or the processor involve:
“regular and systematic monitoring of data subjects on a large scale”
or where the entity conducts large-scale processing of:
“special categories of personal data”
ie categories that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like. This will apply to some of the larger scale Marketing Service Providers and Research Organisations – but needs further clarification from the ICO.
The GDPR requires that Data Protection Officers have:
“expert knowledge of data protection law and practices.”
The level of which:
“should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”
The Data Protection Officer’s tasks also include:
- Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws.
- Monitoring compliance including managing internal data protection activities, training data processing staff, and conducting internal audits.
- Advising with regard to data protection impact assessments when required under Article 33.
- Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data.
- Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.
Data Protection Officers can require that their organisation makes available adequate resources to enable them to fulfil their role and that they receive regular training.
They must be accorded direct access to the organisation’s data processing personnel and enjoy significant independence in the performance of their roles, together with a direct reporting line:
“to the highest management level”
of the organisation.
Data Protection Officers are expressly granted significant independence in their job description and may only perform other tasks and duties if they do not create a conflict of interest.
The GDPR expressly prevents dismissal or penalising a Data Protection Officer for performance of his or her tasks.
The GDPR permits the Data Protection Officer’s functions to be performed by either an employee of the data controller or data processor or by a third party service provider.
In Part 2 of this Review, Irving will address further aspects of the GDPR including:
- Privacy Management
- Availability of Information Provided at Data Collection
- Data Breaches & Notification
- Data Subject Access Requests (“DSARs”)
- The Right to Data Portability
- Data Retention and the Right to be Forgotten
For further information on this topic please contact Irving David in our IP Department:
t: +44 (0)20 7408 8888