News

We provide tailored and innovative solutions.

MSHB

From time to time we will post news articles and announcements relating to the firm and to various legal issues that may be of interest to you.
Font size: +

GDPR What Now?

You may have seen or heard murmurings about the new General Data Protection Regulation (GDPR) in recent months, but what is it, and why is it important?

In an increasingly digital world, data processing affects almost every aspect of our lives. Data protection has been part of UK law for years, currently covered by the Data Protection Act 1998. But how many of us read the terms and conditions on websites? Do we look to find out who is collecting our data and what they might use it for? Is everyone in your business aware of the rules and responsibilities which fall under data protection law?

The GDPR consolidates and enhances data protection rights and introduces some new obligations. Any organisation which holds or controls data will need to be compliant with the new regulations by the time they come into force on 25th May 2018. This regulation originates in the EU, but the UK Government has confirmed it will be adopted regardless of Brexit. There is currently legislation going through Parliament to implement it in the UK.

There is a lot of information on this issue and it can be a daunting and confusing prospect. This article will briefly cover some key changes introduced by the GDPR which organisations will need to be aware of.

Why is it important?

So why is the GDPR important? Data protection is not the most enthralling subject for most, but it is increasingly relevant and the GDPR seeks to ensure the law is up to date, as well as introducing some new rights and obligations. As individuals, the regulation is intended to protect our rights and personal information. For organisations, a key reason to be concerned with the GDPR is that it increases the maximum fine which a supervisory authority can impose for breaches. In the UK, the relevant authority is the Information Commissioner (ICO). Currently the maximum fine is £500,000. On the introduction of the GDPR, in certain circumstances it will be the equivalent of 20 million euros or 4% of global annual turnover, whichever is greater. Generally, the ICO has sought to avoid taking measures as drastic as this in the past, but serious, repeated failures to comply with the legislation increase the risk of fines. It should also be noted that there are no exceptions based on the size of the organisation.

The GDPR effectively applies across the EU to any business based in or which does business in the EU. It imposes obligations on data controllers, being any person or body who determines the purposes and means of processing data, and data processors, being any person or body who processes data on behalf of the controller. The GDPR will require contracts to be in place between data controllers and processors who process data on their behalf. In practice, any person or organisation who collects and holds personal data and decides what it is used for may be a data controller.

Changes to Data Protection

This article will look broadly at the following points:

  • Introduction of a new principle of accountability, which will require those controlling data to be able to demonstrate they comply with the regulation;
  • Changes to obtaining consent for processing data, requiring consent to be more explicit;
  • New rules around data used for profiling
  • Requirements for privacy notices and policies
  • Increased enforcement powers for authorities
  • A new obligation to report data breaches
  • New requirements for certain organisations to have Data Protection Officers
  • Privacy Impact Assessments
  • Introduction of the ‘right to be forgotten’

Data Protection Principles

The current legislation lists eight key principles which should be observed when processing personal data of individuals. These are that personal data should:

  • be processed fairly and lawfully and not be processed unless specific conditions in the legislation are met.
  • only be obtained for one or more specified and lawful purposes and not processed for any other purpose;
  • be adequate, relevant and not excessive in relation to those purposes;
  • be accurate and, where necessary, kept up to date;
  • not be kept for longer than is necessary for the relevant purposes;
  • be processed in accordance with the rights of data subjects under the Act.
  • Be subject to appropriate security measures to avoid against loss, damage, unauthorised disclosure and so on;
  • not be transferred outside the European Economic Area unless the destination country ensures an adequate level of protection for data.

Accountability

The GDPR introduces a new principle of accountability, which will require organisations to be able to demonstrate how they comply with the principles above. This may involve:

  • carrying out internal audits and keeping records;
  • providing comprehensive, clear and transparent privacy policies;
  • maintaining relevant documentation on processing activities;
  • where appropriate, appointing a data protection officer or using data protection impact assessments (see below);
  • implementing measures that meet principles which are referred to as ‘data protection by design’ and ‘data protection by default’. This effectively refers to being proactive in considering data protection and promoting compliance for the beginning of a project, transaction and so on. For example, when implementing new IT systems, introducing new policies, instructing new third parties or developing new products or services, the data protection implications should be considered. Risk assessments will potentially be an important tool in this regard.

This will affect data of all kinds of individuals, including employees and staff, contractors, customers, clients, service users and potentially suppliers of services who are individuals. It is advisable for organisations to consider reviewing what data they hold, who it concerns and whether processes may need to be altered or improved to ensure compliance with the principles can be shown.

Record Keeping

Organisations will be required to keep records of their processing activities, including the type of data held, the purposes for which it is processed, schedules for retention of data and notes of security measures in place.

At the moment there is a partial exception for organisations with less than 250 employees, which are only required to maintain records of activities related to higher risk processing, such as:

  • processing personal data that could result in a risk to the rights and freedoms of individuals;or
    • processing of special categories of data or criminal convictions and offences.

The special categories of data include what was previously referred to as sensitive personal data. At the moment, these categories are data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation or sex life, data concerning health and genetic or biometric data for uniquely identifying a person. This type of data should not be processed unless there is a specific lawful basis, permissible ones being set out in the regulations. 

Lawful basis for processing and consent

Under data protection law, there must be a lawful basis for processing personal data. The recognised lawful bases are set out in the legislation and differ depending on whether data is in a special category. These include that the processing is necessary for the performance of a contract, for compliance with the legal obligations or to protect the individual’s vital interests. Organisations will require to be clear about which justification they are relying on in processing data.

A common basis on which data is processed is the consent of the individual. The GDPR enhances the requirements for consent, so that it must be specific, informed and freely given and requires clear affirmative action. This, for example, makes the unticking of a pre-ticked box on a website insufficient (something which currently appears to be a fairly common practice). If consent is given as part of a written declaration, it should be separate from other matters. Where personal data is that of a child, the GDPR requires parental consent to be given if the child is below a certain age. At the moment, the UK intends to set this age at 13.

Organisations must be clear in their records on what basis they are processing data. If the basis is consent, then the requirements for consent under the GDPR must be considered, although it should be remembered that consent is not always necessary or appropriate if there is another lawful basis for processing the data.

Privacy Notices: Information for Data Subjects

Hands up anyone who reads privacy notices or policies currently….? Statistics suggest very few of us do, but often this can be because such notices are lengthy and couched in legalistic terms and jargon. The GDPR requires that we must be given various pieces of information about the processing of data at the time it is collected, and it should be given in a way which is easily accessible, concise, transparent and in clear and plain language. The information required includes the purposes the data is used for, who the data might be disclosed to, how long the data is retained and what rights the individual has. It is recommended that any such notice is separate from other terms and conditions.

This is likely to require the updating of documentation such as privacy policies, employee handbooks, contracts and websites and potentially changes in practice when taking on new customers or clients.

Enforcement

One of the key changes, as noted above, is that the GDPR gives supervisory authorities such as the Information Commissioner (ICO) increased enforcement powers.

Currently, in the UK the maximum fine for non-compliance with the Data Protection Act is £500,000. The GDPR significantly increases this. For violations relating to matters such as internal record keeping, data security and breach notification, fines can be up to 2% of annual worldwide turnover or the equivalent of 10 million euros, whichever is the greater. For breaches of the data protection principles, conditions for consent and data subjects’ rights, this is increased to 4% of annual worldwide turnover or 20 million euros, whichever is greater.

However, there are a range of sanctions available, including issuing warnings, ordering steps for compliance or placing restrictions on processing activities. The ICO has generally sought not to impose fines if there is a more appropriate sanction and they have never yet imposed the maximum fine available. It is noted on the ICO website that issuing fines will, in many cases, continue to be a measure of last resort. However, the potential for fines should not be taken lightly and it is advisable to take steps to ensure compliance with the GDPR as far as possible.

Breach notification

The GDPR introduces a mandatory duty to report personal data breaches. This means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data. This does not mean every minor breach needs to be reported: the requirement to notify the ICO arises where, as result of the breach, there is a risk to the rights and freedoms of the person concerned. For example, if it could result in discrimination, financial loss, significant reputational damage and so on.

The breach would need to be reported to the ICO and, where the risk is high, to the affected individuals. Notification should be done without undue delay, and where feasible within 72 hours. Fines can be imposed for failures to notify of breaches. The notification should explain who is affected, the likely consequences of breach and measures taken to minimise these consequences.

Guidelines have been produced which give various factors to be considered in determining the type of breach which might need to be reported. The ICO currently recommends that organisations consider, in the context of their business, what breaches might occur and what could be considered serious enough to report. The ICO recommends implementing internal breach reporting procedures and training staff, as well as considering cyber security.

Data Protection Officers

A further new obligation which only arises in limited circumstances is to appoint a Data Protection Officer (DPO). This is required where the organisation:

  • is a public authority;
  • carries out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carries out large scale processing of special categories of data – being sensitive data such as health information - or data relating to criminal convictions and offences.

‘Large scale’ is not defined, but consideration should be given to the number of people data is held on, the duration or permanence of the processing and so on. Examples of organisations this is likely to include are hospitals, banks, insurance companies or phone and internet providers. Other organisations can choose to appoint a DPO, as all will have to ensure there are staff with the requisite knowledge to comply with the GDPR. If personal data is a key aspect of the business, appointing a DPO may be useful even if not required. There is no specific qualification required to be the DPO, although the person appointed should have the knowledge, experience and skill to carry out the role.

The DPO’s minimum or core tasks are

  • To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including to advise, train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

Impact Assessments

Data Protection Impact Assessments (DPIA) - or Privacy Impact Assessments (PIA) - have previously been encouraged as best practice but are now required where the processing is likely to result in a high risk to the rights and freedoms of individuals.

Systematic or large scale processing may be high risk, including large scale monitoring of CCTV. Processing special categories of data may also fall within this definition. The assessment should include the purpose and necessity of the processing, the risks to individuals and measures in place to address these risks, such as data security measures.

However, although the requirement is restricted to where there is a high risk, completing such assessments generally or including privacy and data protection concerns within broader risk assessments is likely to be a beneficial practice in terms of compliance.

Right to be forgotten

The GDPR introduces a new concept of the right to erasure or the ‘right to be forgotten’. This is not as strict a right as it sounds, but effectively refers to individuals now having the ability to ask for data held about them to be erased in certain circumstances, such as where it is no longer required, or they withdraw consent and the data cannot be processed lawfully without it. There are certain circumstances in which the right does not apply, such as where the controller still requires the data to comply with its legal obligations.

This means that individuals will be able to exercise this right to have their data erased from an organisation’s records, such as where they were signed up with a company for a service which they no longer use or have cancelled. Organisations will need to be aware that individuals have this right, be aware of the circumstances in which they can use it, and ensure there is a method in place to properly erase data.

There is also a new right for individuals to ‘data portability’ – to be given access to electronic data about them in a format which is easily transferred to another organisation – which applies in certain circumstances.

Conclusion

We have covered some important effects of the GDPR in this and our previous article, but there are further provisions and details with which businesses may need to be concerned depending on their size, type of business and use of data, including a changes to rules where data is used for direct marketing, profiling or automated decision making.

Both the ICO and the UK government have indicated that organisations which already comply with the existing Data Protection Act will be in a good position and well on the way to compliance with the GDPR. There is a lot of information and guidance on the Information Commissioner’s website and in the coming months it is anticipated that additional guidance will be provided on the GDPR and what it means for organisations. However, it is recommended that to ensure compliance by the time it comes into force on 25th May 2018, steps should be taken as soon as possible.

If you require more information or advice on how these changes might affect you or your business or organisation, please feel free to contact Miller Samuel Hill Brown.

Lockdown-easing dates: A rocky road ahead