The General Data Protection Regulation (GDPR), which replaces the EU Data Protection Directive, is a comprehensive data protection regime aimed at achieving a high level of security of network and information systems across the EU and giving individuals greater control over their own personal data. The GDPR will apply to all EU member states from 25 May 2018 and will impose significant compliance issues for any organisation which holds ‘protected data’. Although it is European legislation, the Government has indicated that the GDPR will remain on the UK statute books after Brexit. To this end, the Data Protection Bill 2017 was introduced to the House of Lords on 13 September 2017. The Bill transfers the GDPR into UK law, replacing the Data Protection Act 1998 (DPA) and building on existing data protection rights in order to take into account developments in digital technology and the way organisations often collect a wide range of information about people.
The GDPR regulates the processing of protected data by organisations operating within the EU and those outside the EU that offer goods or services to individuals in the EU. It builds on the existing data protection principles as set out in the DPA, but also makes significant changes, imposing stricter rules concerning the holding and management of data and also the use of personal data for commercial purposes. The most significant addition is the ‘accountability principle’, whereby data controllers must keep records to demonstrate how they comply with the data protection principles – for example by documenting the decisions taken about a processing activity.
The steps necessary to comply with the GDPR will depend on the amount of data your business holds and what it is used for. Organisations that carry out large-scale, systematic monitoring of individuals (for example, online behaviour tracking) and/or large-scale processing of special categories of data or data relating to criminal convictions and offences must appoint a Data Protection Officer to have responsibility for and control over GDPR compliance.
What is Protected Data?
The data protected by the GDPR is personal data. The processing of personal data includes its collection, recording, use, storage, adaptation or alteration, disclosure and destruction. Protected data must be processed lawfully, satisfying at least one of the acceptable processing conditions, fairly and in a transparent manner. The GDPR’s definition of personal data is more detailed and broader than that used hitherto. It allows for a wide range of personal identifiers to constitute personal data, for example information such as an IP address, as this relates to an identifiable person (the data subject). Generalised data is not covered, however, unless its possession allows a person to be identified. Those processing personal data do so either as a data controller or as a data processor. The data controller determines the purposes and means of processing of personal data. Data processors may only process personal data in accordance with the instructions of the data controller. However, unlike the Directive it replaces, the GDPR places direct statutory obligations on data processors, so they may be subject to heavy fines.
The concept of sensitive personal data remains. The GDPR refers to ‘special categories of personal data’, which are broadly the same as in the DPA but have been expanded to include genetic data and biometric data where this is processed in order to uniquely identify an individual.
Key to the GDPR is the concept of privacy or data protection ‘by design’, whereby data protection risks must be considered at all stages of data handling and storage to ensure compliance. This will necessitate not only a thorough audit of existing practices to ensure compliance but also the involvement of those with data protection expertise in the implementation of any new project, to ensure that privacy concerns are an integral part of the design.
The minimum necessary amount of personal data must be collected (privacy or data protection ‘by default’) and it must be processed for a specific purpose and for that purpose only. In addition, access to data must be restricted to only those personnel necessary and data should not be retained for longer than is needed.
Under the GDPR, individuals have the same rights as under the DPA (e.g. the right to access data and to amend inaccurate data, the right not to be subject to automated decision-making and the right to object to direct marketing) plus some new rights. These include the right ‘to be forgotten’ – i.e. to have their personal data erased – and the right to data portability, whereby an individual has the right to receive their personal data in machine readable form where this has been provided to a data controller with their consent or for the performance of a contract and the data is processed by automated means. Alternatively, an individual can request that the data be transferred from one data controller to another. When a subject access request is received, the response should explain the lawful basis for processing the data held on the individual.
Under the GDPR, subject access requests must be met without undue delay and certainly within one month, unless an extension is agreed. The current £10 fee will no longer be payable in most cases.
Processing by Consent
For the processing of personal data to comply with the GDPR, it must be done on a lawful basis. Currently, consent is one of the most widely used grounds for justifying such processing. However, the new rights given to individuals as to how information about them is collected and held set a very high standard for consent so that they have genuine choice and control. An indication of consent must be unambiguous, involve a clear affirmative action and should be separate from other terms and conditions. It should not generally be a precondition of signing up to a service and the GDPR specifically bans pre-ticked opt-in boxes. Specific consent is required for distinct processing operations and clear records must be kept to demonstrate that consent was obtained. Individuals have the specific right to object to the processing of their personal data and the right to withdraw their consent at any time where no other lawful basis for processing the data exists.
Employers should be aware that broad consent to process personal data given by an employee in their contract of employment will not be a valid processing condition. Furthermore, the requirement that consent must be freely given will make it difficult for employers and other organisations in a position of power to get valid consent, given the imbalance of power in the relationship. Also, consent could be withdrawn at any time. Employers are therefore advised to identify another legal basis for processing personal data under the GDPR, such as where doing so is necessary in order to comply with a legal obligation such as for tax purposes or to provide statutory employment entitlements such as maternity or paternity pay, sick pay or annual leave.
The rules on communicating privacy information under the GDPR are more detailed and specific than in the DPA. The information provided to people about how you process their personal data must be:
The GDPR requires that more information is provided in a privacy notice than the DPA does, including the lawful basis for processing the data. For example, employers are required to provide employees and job applicants with information on how their personal information will be used. Under the GDPR, this will include:
For further information on privacy notices, see the website of the ICO.
It will be necessary to make sure everyone who has access to or processes personal data is aware of the GDPR and the need to ensure compliance with its requirements. Given the scale of the task, a carefully planned approach and the appointment of a team with the necessary skills to see it through to its fulfilment are essential.
The list below contains the ‘bare bones’ of compliance – there will be additional issues if you export data abroad, make use of ‘bought-in’ data or share your data.
All businesses must report data breaches that pose a risk to individuals to the ICO within 72 hours of detection. They must also inform those affected by the breach, supplying information on the nature of the breach and recommendations as to how potential problems can be mitigated.
The penalties for non-compliance with the GDPR can be very substantial – for serious breaches, up to 4 per cent of global turnover or €20 million, whichever is the higher.
The European Commission also plans to introduce a new ePrivacy Regulation to replace the 2002 Directive that is implemented into UK law by the Privacy and Electronic Communications (EC Directive) Regulations 2003. The new legislation is required in order to keep pace with technological developments and will cover cookies, online marketing, and the collection of metadata and behavioural data.
We recommend using the introduction of the GDPR not only as an opportunity to improve the way in which you handle personal information but also to think seriously about the protection of all sensitive and confidential information (such as turnover by category of goods, for example) and security generally.
Source: Employment Law – The GDPR – Will You Be Ready?