In less than three months the General Data Protection Regulation (“GDPR”) comes into force. On 25th May 2018, any business, charity or organisation which holds personal identifiable information must be fully compliant with the GDPR principles or face severe financial penalties.
A number of businesses have been struggling to understand the compliance requirements under the GDPR, and the time to implement the right systems is running out. The purpose of this post is to provide some background on the GDPR and the types of systems that need to be in place.
The current data protection landscape and the birth of the GDPR
Data protection law in the UK is currently derived from the 20-year-old Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive. This Act was passed before the advent of social media and smartphones; it does not take a genius to spot that the law has not kept pace with technology.
In 2012, the European Commission proposed to strengthen online privacy rights, a move aimed at boosting the EU’s digital economy. After four years of negotiation, the GDPR was adopted by both the European Parliament and the European Council in April 2016.
The aims of the GDPR are twofold. Firstly, regulators want to provide individuals with more control over how personally identifiable information is being used. Secondly, to keep the EU market competitive, the GDPR is designed to provide uniform data protection legislation across all Member States, providing clear, identical laws throughout the single market.
From the 25th May 2018, the GDPR will apply to the UK automatically, with the Information Commissioner’s Office (ICO) acting as the regulating body. Despite the potential impact Brexit could have to various EU regulations, Parliament has made it clear the GDPR will continue to apply to the UK after we leave the EU.
The main principles of the GDPR
The main principles of the GDPR are set out in Article 5 which states:
“Personal data should be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
The definition of a data controller and a data processor
The determining factor between a data controller and a data processor is who has control of the data. According to the ICO, a controller “determines the purposes and means of processing personal data”. A processor, on the other hand, “is responsible for processing personal data on behalf of a controller”.
Accountability and compliance
Compliance under the GDPR is not passive; you must be able to demonstrate it. To do this organisations need to implement the following accountability behaviours:
- have a clear governance structure with established roles and responsibilities;
- have a clear, concise record of all the data processing the organisation undertakes;
- clearly document GDPR policies and procedures and make sure these are shared and available with all data subjects and data processers;
- have a documented action plan to cover what must happen in the case of a data security breach ensuring GDPR reporting requirements can be met;
- ensure there are appropriate measures implemented to protect personal data;
- have a program of staff training and awareness and document it; and
- appoint a Data Protection Officer (“DPO”) where required.
One of the key changes that the GDPR brings is that, the burden of proof to show compliance lies with the data controller (i.e. each business that holds personal data). All data controllers must also be registered with the ICO, it is a criminal sanction if not.
Complying with the GDPR – 5 initial steps you need to take to meet compliance
Like all compliance matters, once an organisation has a solid framework in place from which to build policies and procedures, it needs to provide staff with regular training and ensure that the systems in place are implemented.
Remember, the GDPR puts a great emphasis on positive actions to ensure compliance. It is not enough to “have an informal chat over the cubicle”, each organisation must document the policies and procedures.
- Map your data flow
You must be able to identify, understand, and map out the data flows of your organisation. You must be able to identify what information your company holds, where it is stored, why it is used, and how and why it is transferred to third parties.
For some large organisations, this will be easy. For most SMEs tracking and centralising data is significantly more complex.
Understanding the data flow is the framework for GDPR compliance. Without this knowledge, it will be impossible to draw up GDPR policies and procedures.
There are 3 different areas that you must consider:
- Customer / client information;
- Supplier information; and
- Employee information.
- Make your staff and suppliers aware of the changes
To be compliant, one must know a regulation or policy exists. The old saying “ignorance of the law is no excuse” applies to the GDPR, therefore, it is imperative that you implement a training program with your staff.
This extends to other organisations and contractors with who you share information; they must too be compliant with the GDPR. If they are not, and you share information, liability lies with you (i.e. the data controller).
Article 28 of the GDPR stipulates the data protection obligations between a controller and processor. A written contract should be in place documenting each parties responsibilities and liabilities. In addition, the processor must be able to show it is compliant under the GDPR.
According to the ICO guidelines:
“Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. In the future, using a processor which adheres to an approved code of conduct or certification scheme may help controllers to satisfy this requirement – though again, no such schemes are currently available.
Processors must only act on the documented instructions of a controller. They will, however, have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply”.
To reach compliance, contracts must include the following terms (NB: this is not an exhaustive list):
- the processor can only act in accordance with the written instructions it receives from the controller;
- those processing the data must be subject to a duty of confidence;
- a sub-contractor can only engage a sub-processor with the consent of the controller and a written contract in place; and
- at the end of the contract, all personal data must be returned to the controller.
2. Review your personal data privacy procedures and put policies in place for ensuring they are GDPR compliant
Under the Data Protection Act 1998, those who collect personal data have to provide certain information, including their identity and why the information is being used. However, the GDPR expands on this and requires controllers to provide the reason why the data is being processed, how long it will be retained for and how the information will be used.
One key way to communicate the above is through a Privacy Notice. The ICO states that best practice involves utilising several techniques to communicate privacy information to data subjects to give them a greater choice and control over how their personal data is used. Examples of processes and policies that should be in place to ensure compliance are (NB: this is not an exhaustive list):
- Security policy;
- CCTV policy;
- Data retention policy;
- A record of processing;
- Breach reporting process;
- Business continuity policy;
- An information security policy (ask yourself, how often does your organisation require passwords to be updated?);
- Policies relating to a data subject’s rights:
– Right of access;
– Right to erasure;
– Right of portability;
– Right to object to processing, and so on.
3. Ensure consent is obtained freely and is specific, informed and unambiguous
Complying with privacy ties in closely with consent, one of the most important aspects of the GDPR and the one that causes the most concern, not only for SMEs, but charities and local bodies.
The ICO has set out detailed guidelines for obtaining consent.
Consent is about the data subjects giving permission to the controller and processor to collect, use, and store their personal information. Take this article for example. To collect email addresses of readers, under current laws, we could ask you to provide your email address in exchange for access. We could then use your email address for marketing purposes, without having to provide too much detail as to how your email would be used.
The days where the above was allowed, ends with the GDPR. Going forward, each organisation needs to show that it has policies and procedures in place to ensure consent is being obtained freely, and the data subject understands exactly what their data will be used for.
The standard for consent under the GDPR is high. The definition of consent under Article 4(11) is:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data”.
To comply with the consent requirements under the GDPR, you need to ensure:
- Requests for consent are not given with terms and conditions, and should not be a pre-condition for signing up to a service, unless consent is necessary to use the service provided;
- The giving of consent must be an active process. Silent or pre-ticked boxes will not be allowed under the GDPR;
- Clear, unchecked opt-in boxes should be used. The GDPR does not prohibit opt-out methods; however, the ICO has stipulated organisations must use a positive opt-in method;
- Make sure your organisation and any third-parties who may process the data are clearly named on the consent form;
- Ensure accurate records of consent are kept (e.g. the date and time the consent was received); and
- Let people know they have the right to withdraw their consent at any time and provide instructions on how to do this;. For example, at the bottom of an email newsletter, provide an “unsubscribe” link.
Once consent is obtained, there are also other factors to consider; to process personal data in compliance with the GDPR, organisations must have at least one ‘legal basis’ for doing so.
The legal basis can range from the following:
- That consent has been obtained;
- That there is a contract is in place which requires you to process data;
- That there exists a legal obligation to process the data;
- That the processing is being carried out in the public interest or is an exercise of official authority vested in the controller;
- That a vital interest exists (i.e. life or death situation); and
- That the organisation has a legitimate interest in doing so which is not disproportionate to the rights of the data subject or harm their interests.
‘Legitimate interest’ is one of the more difficult terms to understand in the GDPR. It is not strictly defined, and much rests on the ability of the controller or processor to show that there is a balance of interests – their own and those of the person whose data is being used.
A few examples of ‘legitimate interest’ include:
- if there is a reasonable expectation by the data subject that their information will be processed for a particular purpose;
the existence of an appropriate relationship (i.e. the data subject is a long-term client).
4. Appoint a Data Protection Officer
Under the GDPR, some organisations are required to appoint a Data Protection Officer (DPO). A DPO must be given the power to manage GDPR compliance. In addition, they should be independent of the management team so that they can report any data breaches without fear of personal or professional ramifications. For this reason, many organisations choose to recruit an independent third-party as their DPO.
Under the GDPR, you are required to appoint a DPO if you are:
- a public authority (courts are exempted);
- an organisation that engages in a great deal of monitoring of private individuals as part of their business; and
- an organisation that monitors and processes special categories of data such as medical or criminal records.
5. Make sure you can comply with the data breach requirements of the GDPR
The GDPR has strict compliance responsibilities regarding what an organisation must do in the face of a data breach.
All entities will have a duty to report data breaches which pose a risk to peoples’ rights and freedoms to the ICO within 72 hours. If the breach could result in the risk to individuals’ privacy, damage their reputation, result in discrimination, or cause some other type of social or economic problem, these people must be informed of the breach as soon as possible.
To ensure compliance, all organisations need to have robust breach detection, reporting and investigation procedures in place. Even if you are not required to notify, a record should be kept of all data breaches, however minor.
Penalties for breaching GDPR compliance
The penalties for breaching GDPR compliance are severe. For lower level breaches, the fine is 10 million or 2% of the global turnover for the previous financial year, whichever is higher. Major infringements can lead to a fine of 20 million or 4% of global turnover, whichever is higher.
When deciding on the level of fine, the ICO would consider:
- the nature and gravity of the infringement;
- whether the breach was intentional or negligent;
- the mitigating actions taken by the organisation to contain damage to individuals;
- the compliance policies and procedures implemented by the organisation;
- any past infringements;
- the level of cooperation by the processor and controller;
- what personal data was involved in the breach;
- was the ICO promptly notified of the breach; and
- were certain codes of conduct adhered to.
The ICO has made clear that maximum penalties will not be handed out without serious investigation and consideration of all the circumstances. However, the risk is present, and organisations have had plenty of notice to get their policies and procedures in place.
If you have not started to implement a framework to comply with the GDPR, the time to start is now. Because on 25th May 2018, the data protection landscape changes, and everyone, from the smallest sole trader to the largest conglomerate, must be prepared. It is not one size fits all. The GDPR applies differently to each organisation.
If you have any questions regarding points that have been mentioned in this article, please call us on 020 3588 3500.