Everywhere I look and listen these days, GDPR is appearing, so I decided to read up on GDPR, what it is and what it means for businesses.
For those like me that weren’t sure what it stands for, it is the General Data Protection Regulation and is the new legal framework in the EU for data protection. In the UK, we already have the UK Data Protection Act 1998 (DPA) but the new regulations introduce some new and different requirements from the DPA. The GDPR will apply in the UK from 25 May 2018 and the UK government have confirmed that Brexit will not affect the commencement of the GDPR.
The GDPR applies to both ‘controllers’ and ‘processors’ and the definition of these are mostly the same as the DPA, therefore if you are already subject to the DPA, you will probably have obligations under the GDPR. Controllers are those that control how and why personal data is processed whilst processors act on behalf of controllers. Under the new GDPR, controllers are responsible for ensuring that processors comply with the GDPR and processors are required to maintain records of personal data and processing activities carried out within the EU even if the organisation is outside the EU.
The GDPR applies to ‘personal data’ but the definition of personal data in the GDPR is much more detailed reflecting changes in technology and the ways that organisations collect personal data as well as specifying that it includes both automated personal data and personal data held in manual filing systems. Interestingly the GDPR also refers to ‘sensitive personal data’ which specifically includes genetic and biometric data under certain circumstances but excludes processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals for personal/household activities.
The GDPR sets out the principles to be followed which are like those under the DPA but include a new accountability requirement which requires those governed by the GDPR to show how they are complying with the principles.
So, in summary the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- rocessed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Under the GDPR, consent requires some form of clear affirmative action and must be verifiable with details of how and when consent was given; pre-ticked boxes do not constitute consent. Individuals must be able to withdraw consent at any time. Consent that has already been obtained which does not meet the new requirements must be re-obtained before processing the data.
The GDPR contains the following rights for individuals:
- The right to be informed;
- The right to access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object;
- Rights in relation to automated decision making and profiling.
Several of these rights are like the existing rights under the DPA with a few notable exceptions:
- You must provide a copy of the information free of charge although you can charge a ‘reasonable fee’ under certain circumstances; previously the DPA provided for a £10 subject access fee;
- You must provide the information without delay and at the latest within one month (extendable by up to two months);
- The GDPR recommends that where possible organisations should provide remote access to a secure self-service system to provide individuals access to their personal data held;
- Where personal data has been disclosed to third parties and a request for erasure is subsequently received and upheld, the GDPR requires the third party to be informed unless it is impossible or involves disproportionate effort to do so;
- The right to data portability allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way and free of charge;
- Where personal data held for direct marketing or research purposes and is processed online, individuals must be able to object online;
- Individuals must be informed of their right to object at the first point of communication and must be “explicitly brought to the attention of the data subject”;
- Individuals must be able to obtain human intervention, express their point of view and obtain and explanation of the decision and can challenge it although there are some exceptions;
- The GDPR provides guidance on profiling and requires that appropriate safeguards in place as well as defining specific exclusions. It defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual for analysis or for prediction, for example, performance at work, health or behaviour.
Accountability and Governance
Under the GDPR, the significance of the principles of accountability and governance have been raised. What was previously good practice has now become a legal requirement so that the risk of breaches is minimised.
To comply with this requirement, organisations must:
- Implement internal data protection policies such as staff training, internal audits of processing activities and review of internal HR policies;
- Maintain relevant documentation on processing activities;
- Appoint a data protection officer (DPO) (public authorities or organisations that carry out large scale systematic monitoring of individuals or large scale processing of special categories of data only);
- Implement measures that meet the GDPR including data protection by design and data protection by default;
- Use data protection impact assessments (DPIAs) when adopting new technologies or where processing is likely to result in a high risk to the rights and freedoms of individuals.
Optionally, organisations can adopt approved codes of conduct and/or certification schemes.
The GDPR requires that there are comprehensive, clear and transparent privacy policies that include:
- Name and details of the organisation;
- Purposes of the processing;
- Categories of individuals, personal data and recipients of personal data;
- Details of transfers to third countries;
- Retention schedules;
- Details of technical and organisational security measures.
- Organisations with 250 or more employees must maintain records of processing activities; other organisations must maintain these for higher risk processing.
Data Breach Notification
The GDPR imposes a duty on all organisations to report personal data breaches to the relevant supervisory authority where it is likely to result in a risk to the rights and freedoms of individuals (for example where the breach results in discrimination, damage to reputation, financial loss or the loss of confidentiality) and where the risk is high, the individuals affected too. A breach is more than the loss or destruction of personal data, it also includes the alteration, unauthorised disclosure of or access to personal data.
The breach notification must be reported within 72 hours of the organisation becoming aware of it and should include the nature of the breach (category and number of the individuals and records concerned), the name of the DPO or other point of contact, the likely consequences of the breach and the measures taken or proposed to be taken to deal with or mitigate any possible adverse effects of the breach.
Having read through the GDPR, this is the list of considerations that I have compiled:
- Responsibility for protecting personal data is shared between controllers and processors;
- Definition of ‘personal data’ has been extended;
- New accountability requirements include requirements for a DPO, DPIAs and breach notification;
- Rules for obtaining consent have been changed with separate rules for processing children’s data;
- Individuals have the right to be ‘forgotten’;
- New restrictions on international data transfers;
- Export personal data processed by automated means in a structured, commonly used format including CSV file format to meet the new requirements for data portability;
- Processes to be built on the principles of privacy by design;
- Tougher fines;
- Scope includes businesses outside that the EU that process the personal data of EU individuals.
A relevant point of reference is Microsoft's article on their compliance with GDPR which can be found here.