This time last year your organisation will have been finalising a review of its data protection policies and procedures, have undertaken a data mapping exercise and updated its privacy policy in preparation for the General Data Protection Regulation (GDPR) coming into force.
In addition to the GDPR, the Data Protection Act 2018 (DPA 2018) was passed on the 23rd May 2018 and came into force on the 25th May 2018, the same day as the EU regulation. The DPA 2018 supports the implementation of the GDPR. Much of the Act relates to law enforcement and intelligence; therefore, has little applicability in relation to the commercial world. However, there are some parts organisations who deal with personal data should be aware of.
Ensuring the GDPR continues after Brexit
At some point in the future, the UK will formally leave the European Union. The DPA 2018 provides for the continued application of the GDPR once Britain leaves the EU.
GDPR exemptions
There is some scope for Member States to deviate from the GDPR with regards to data subject’s rights and the DPA 2018 sets these out. For example, a data subject will be unable to demand their personal data be produced if doing so could prejudice ongoing negotiations or the data is subject to legal professional privilege.
One exemption which has caused some comment is in connection with the disclosure of employee references. Under the Data Protection Act 1998, if a Subject Access Request (SAR) was received, a reference given by an organisation was exempt. However, because the exemption only applied to references provided by the organisation, it could only be actioned by the provider of the reference, not the recipient.
The DPA 2018 clears up this anomaly, so now, if a SAR is received, any reference provided in confidence, whether created by the organisation subject to the SAR or a third party, will not be exempt from disclosure. Therefore, it is imperative to mark references you do not wish to disclose as ‘Strictly confidential – employment reference.
Special category personal data
Special category data is data which is deemed more sensitive than ordinary data and therefore requires special protection. An example is where personal data processing relates to criminal convictions for the purposes of employment. Several conditions must be satisfied under the DPA 2018, and to meet compliance, you must have a policy document that defines how your systems comply with the principles in Article 5 of the GDPR and provides details of your procedures for keeping and deleting special category / criminal conviction and offence data. Requirements are also set out for certain situations, such as the processing of personal data relating to research projects, journalism, and fraud prevention.
The annual data protection fee
The DPA 2018 sets out an obligation to pay a yearly data protection fee which ranges from £40 to £2,900 depending on the organisation’s size.
If your organisation is registered under the Data Protection Act 1998 notification scheme, you can rely on this until renewal.
Children
Children can provide their consent for GDPR purposes from the age of 13 years, lower than the GDPR’s default age of 16 years.
Data protection offences
New data protection offences are introduced by the DPA 2018, including re-identifying information which was formally de-identified or deliberately hiding or changing data which is part of a SAR.
Information Commissioner’s Office (ICO) power of enforcement
The DPA 2018 enhances the ICO’s powers to serve information and assessment notices and to enter and inspect offices in specific circumstances. Criminal sanctions are also in place for taking action which interferes with ICO investigations, for example, destroying information.
The effect of the DPA on contracts
All organisations need to revise their contracts to reflect the compliance requirements in the DPA 2018. This is in addition to the mandatory clauses relating to contracts provided by the GDPR, art.28, which states a controller must have a legal contract with a processor which governs the processing of all personal data collected and stored by the controller. The contract must set out “the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller”.
In particular, art.28 states that the processor must:
• process personal data only on the “documented instructions” of the controller
• follow appropriate confidentiality procedures
• take all measures to ensure security of processing under art.32
• delete or return personal data to the controller at the end of the provision of services, and;
• provide evidence of compliance with the provisions of the GDPR.
In summary
After reading this blog, you may be scrambling for your contracts, desperate to check they are compliant with the DPA 2018 and well as the GDPR. Well don’t panic. Chances are your existing agreements only require a slight adjustment to meet compliance requirements. The quickest way to do this is have them looked over by your legal advisor.
Saracens Solicitors is a multi-service law firm based in London. We have dedicated and highly experienced commercial law solicitors who can advise you on all GDPR and DPA 2018 matters. For more information, please call our office on 020 3588 3500.