Most people will have by now heard the four letters which will change the landscape for data protection in Europe next year – GDPR. The General Data Protection Regulations, or GDPR, will apply automatically within the UK when they come into force on 25 May 2018. While it seems a long time until compliance with GDPR is required, the changes introduced represent a substantial challenge for businesses within the UK and steps should be taken now to limit any issues (or fines) in the future. In the first of several updates on data protection and GDPR, I have set out the main changes for organisations to be aware of (with greater detail to follow on certain key areas in subsequent blogs).
GDPR will have extra-territorial application. This means it will apply to all EU organisations processing personal data (whether the processing takes place within the EU or not) and to all organisations processing data of people residing inside the EU (whether the organisation is within Europe or not).
The current maximum fine which the ICO can impose is £500,000 (although the fines imposed are normally well below this figure). Under GDPR, the fines are substantially increased. Where an organisation has committed a breach of record keeping, contracting or security clauses, the maximum fine will be greater of €10,000,000 or 2% of worldwide turnover. If an organisation has breached one of the basic principles or Data Subject rights, the fine can be up to €20,000,000 or 4% of worldwide turnover.
It is important to note, most ICO fines at present would be subject to the lower fine levels which may signify a change in what is now important in data protection rules.
Individuals also have a right to claim compensation for damages cause by infringement of data protection rules. Going forward, damages will include non-material damages for distress etc (rather than simply proven financial losses).
The current rules generally cover data controllers only (ie those responsible for determining the purposes and means of processing personal data). The GDPR creates specific obligations on data processors (those engaged by a data controller to carry out the processing of personal data). These include (i) maintain adequate documentation, (ii) put appropriate security processes in place, (iii) carry out data protection impact assessments and (iv) comply with rules on international data transfers. Failure to comply with the new obligations could result in fines and potential claims for damages from individuals.
Going forward, organisations can still rely on consent to process personal data but will need to ensure such consent is freely given, specific and informed. Practically, this means organisations should not rely on opt-out or auto filled consent boxes. Instead, organisations should ensure requests for consent are clear and distinguishable from other matters with options to consent to different types of processing. It is also necessary to highlight consent can be withdrawn at any time in a quick and easy way.
Businesses will need to maintain evidence showing consent has been obtained and have appropriate mechanisms to deal with withdrawal of consent. Given that consent is only one basis for lawful processing of data, organisations may consider if there is another basis for processing which is more appropriate.
Under GDPR, any data breach which is likely to risk the rights and freedoms of the individual should be notified to the ICO without undue delay and within 72 hours of first becoming aware of the breach. Where the breach is likely to result in high risk to the individuals affected, the individual should also be notified.
A breach is defined by the ICO as “a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of or access to, personal data”.
Organisations will need to have an appropriate process in place for identifying any breaches and preventing any further breach of data, assessing the potential impact of any breach and thereafter notifying appropriate parties.
Data Subject Rights
A data subject is the individual whose personal data is held by an organisation. The rights that a data subject has under GDPR are broadly similar to the current rules, although some have been expanded. These rights include the right to access information held (or subject access rights), requirement on organisation to rectify incorrect data and the right to be forgotten.
The GDPR has removed the right for organisations to charge a data subject for access to their personal data. If a request is made to an organisation (letter, email and via social media are all acceptable methods), an organisation should provide all information within one month.
A new right created under the GDPR is data portability where an individual can request data held by an organisation is transferred to another organisation. The transfer can be via the individual or between the two organisations directly and must be provided in a commonly used format which is machine readable.
The introduction of this new right will enable individuals to transfer between service providers quickly and easily. It may require organisations to introduce appropriate procedures for transferring data quickly and securely.
Accountability & Privacy By Design
Simply complying with GDPR will not be sufficient for organisations – they should be able to show compliance by having appropriate policies, procedures and training in place.
Organisations should look to keep detailed records of processing operations, perform impact assessments for high risk processing, keep comprehensive records of any breaches and take data protection risks into account from the start of any process, rather than as an afterthought. The key concept is that personal data is only processed where necessary, for a specific purpose and stored for no longer than required.
Data Protection Officers
Going forward, certain organisations will need to appoint DPOs to oversee the protection of personal data. The DPO should report to the highest level of management and will advise on all relevant data protection laws, monitor compliance with GDPR, deal with data protection impact assessments and liaise with the ICO. A DPO is required for all public authorities and bodies and where an organisation has core activities requiring (i) regular and systematic monitoring of individuals on a large scale or (ii) processing on a large scale of special categories of data (sensitive personal data) and data relating to criminal convictions.
There is nothing preventing other organisations appointing a DPO but if appointed, a DPO will have to comply with all relevant obligations under GDPR.
It is important that organisations are aware of the new rules coming into force so they can consider what impact these may have on their own policies and procedures and what changes might be required before May 2018. For more information on data protection or to discuss your GDPR requirements in more detail, contact the Corporate Team at Blackadders.
Ruth Weir, Senior Solicitor – Corporate : @CorpLawyerRuth www.blackadders.co.uk