The General Date Protection Regulations (GDPR) will apply in all EU Member States from 25th May 2018. It is important to stress that the GDPR is about much more than employee data. It is becoming increasingly clear to us that our extensive range of clients have a wide range of data protections issues, far beyond the employee information which they hold, and many do not meet the current Data Protection Act, let alone the even more onerous GDPR, so they are just not prepared. Our previous newsletter focussed on employee data. This newsletter will concentrate on broader issues which you need to thinking about with regard to what personal data as an organisation you process, store and dispose of.
One of the first things to consider is whether the organisation is processing personal data as a controller or a processor. A processor just acts on the instructions of the controller.
Countdown to 2018
The GDPR will harmonise data privacy practice across Europe. The emphasis is on protecting citizens and their data, and giving users more information about, and control over, how it’s used. There are a large number of national derogations. It is also likely there will be differences in the way the Regulation is interpreted and enforced in different Member States. It is believed that the British Data Protection Bill will not be ‘gold-plated’, i.e. not made more onerous than the EU Directive, on its way to becoming an Act of Parliament. The new law gives individuals more say over what organisations can do with their personal data (which can be anything from physical, physiological, mental, economic or cultural data and more).
The new law retains the same core rules as the Data Protection Act 1998 (DPA), and continues to regulate the processing of personal data, but there are some significant changes. These include the right to be forgotten, the right to request the porting of one’s personal data to a new organisation, the right to object to certain processing activities and to decisions taken by automated processes.
The concept of sensitive personal data has been retained and expanded to include genetic and biometric data. The actual term ‘sensitive personal data’ has been dropped, but is now re-termed as falling into ‘special categories’, i.e. information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.
Board or Senior Management Issues
Data protection needs to become a boardroom issue, as the law is designed to put data protection at the top of the agenda for all organisations. This is done by creating a culture where everyone contributes to maintaining data privacy standards, ensuring compliance, thinking about how their own personal information to be processed, as well as handling the personal data of others, i.e. the people they deal with, such as customers/clients, patients, guests, residents, other stakeholders, members of the public etc.
Also, it’s not just about the threat of financial penalties. Individuals need to trust the organisations they are providing their personal information to, and have confidence that their information will be handled appropriately and securely, as without that trust there will be huge organisational challenges to overcome.
The GDPR introduces the principle of accountability which runs through the core of the legislation. Accountability needs to be entrenched in an organisation, requiring a change in mind-set and for organisations to take a proactive, methodical and accountable approach toward compliance. The Senior Management Team need to understand the potential exposure to fines, and other sanctions under the GDPR, and must get buy-in for compliance at all levels across the organisation.
Organisations must be able to demonstrate their compliance with the GDPR’s principles, which will include adopting certain “data protection by design” measures, staff training programmes, and having suitable data protection policies and procedures.
You will need to identify means to “demonstrate compliance” – e.g. adherence to approved codes of conduct, “paper trails” of decisions relating to data processing and, where appropriate, privacy impact assessments.
Your internal governance processes will need to demonstrate how decisions to use data for further processing purposes have been reached and, that relevant factors have been considered.
Consent and Legitimate Interests
You need to ensure you are clear about the grounds for lawful processing relied on by your organisation, and check these grounds will still be applicable under the legal requirements. Consent is not the only mechanism for justifying the processing of personal data.
The processing of personal data will only be lawful if it satisfies at least one of the following conditions:
- Consent of the data subject – this is broadly the same as under the DPA, but the GDPR has a narrower view of what constitutes consent, meaning that it will become harder to obtain consent. In practice, this means that data controllers will have to fall back on other processing conditions.
- Necessary for compliance with a legal obligation – this is broadly the same as under the DPA. However, under the GDPR, the legal obligation must be an obligation of Member State or EU law to which the controller is subject.
- Necessary for the performance of a contract with the data subject, or to take steps preparatory to such a contract – again, no change from current law.
- Necessary to protect the vital interests of a data subject, or another person where the data subject is incapable of giving consent – this should only be relied on when there is no other ground available, e.g. medical emergencies.
- Necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller.
- Necessary for the purposes of legitimate interests – this condition can no longer be relied on by public authorities, but is probably the most important for many other organisations.
If you are relying on “legitimate interests”, ensure that decision-making in relation to the balance between the interests of the controller (or relevant third party) and the rights of data subjects are documented, particularly where this affects children. Make sure also that data subjects would reasonably expect their data to be processed on the basis of the legitimate interests of the controller or relevant third party. You will also need to make sure that you advise people of this reason in the information that must be supplied to data subjects. A legitimate interest ‘must be real and not too vague’. For example, it may apply to an organisation’s data processing as part of fraud protection, security measures or transferring that data between different parts of an organisation.In some ways the best reason is that the individual has consented to you processing their data. The standard to obtain valid consent has, however, been tightened up. Consent must be specific, freely given, informed and unambiguous. The conditions for obtaining consent have become stricter. To justify consent from a legal perspective, ensure that:
- consent is active, and does not rely on silence, inactivity or pre-ticked boxes;
- consent to processing must be distinguishable, clear, and not “bundled” with other written agreements or declarations; there is a presumption that forced consent mechanisms will not be valid, so it must be clear exactly what people are assenting to;
- consent requests are separate from other terms and conditions; organisations should avoid making consent a precondition of a service, unless necessary for that service, and must not be used as a vehicle to get consent to something else, e.g. receiving email;
- the data subject must have the right to withdraw consent at any time, but this will not affect the lawfulness of consensual processing before its withdrawal;
- there are simple methods for withdrawing consent, including methods using the same medium used to obtain consent in the first place;
- separate consents are obtained for distinct processing operations; and
• consent is not relied on where there is a clear imbalance of power between the data subject and the controller;
Further guidance is expected, but organisations will need to review existing consent mechanisms, to ensure they present genuine and granular choice. Granular means that you give a thorough explanation of options to consent to different types of processing wherever appropriate. You will need to determine whether any of your current processing is based on assumed consent and if so, this must be stopped, unless you can get consent, or have another legal basis for the processing. You must audit data privacy notices and policies to ensure that individuals are told about their right to object, clearly and separately, at the point of ‘first communication’. For online services, ensure there is an automated way for this to be effected.
Controllers and processors are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The assessment of what might be appropriate involves considering the context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.
Appropriate measures are set out as possibly including:
- pseudonymisation (separation of data from direct identifiers so that linkage to an identity is not possible without additional data to re-identify the person);
- anonymisation irreversibly destroys any way of identifying the data subject;
- encryption and other measures, such as firewalls, to prevent hacking;
- ensuring confidentiality, integrity, availability and resilience of processing systems and services;
- ability to restore availability and access to personal data in a timely manner in the event of an incident; and
- the regular testing and evaluating of technical and organisational measures designed to ensure security of data processing;
The best way for organisations to deal with this is to minimise breaches, but also to have policies in place to enable staff to assess risk in order to show compliance. As with so much of the GDPR, being able to demonstrate that the proper precautions and steps were taken will be crucial. If your security measures are currently fit for purpose, you are unlikely to need to do much more. However, it would be worth reviewing these measures to ensure they are up to date with the latest technology and threats. However, many changes are not about technology it is simple stuff like not leaving files on photocopiers, or on desks or screens when we are not there.
In a recent case against Morrison Supermarkets, the High Court has held that an employer was vicariously liable for the actions of a disgruntled employee who disclosed the personal information of around 100,000 colleagues on the internet. Although the disclosure took place outside working hours, and from the employee’s personal computer, there was a sufficient connection between the employee’s employment and the wrongful conduct for it to be right to hold the employer liable. There is no suggestion that Morrison was negligent, but they are facing a potentially large amount in compensation. This highlights another warning about how the employer can be held responsible for the acts, lawful and unlawful, of its employees.
Many existing rights are retained or enhanced in GDPR, and there are some new ones. Here is a selection:
The right is retained, but it will no longer be permissible to charge a fee, and the time limit is reduced from 40 days to a month.
The Data Subject can have incorrect data corrected and incomplete data completed.
Erasure (“right to be forgotten”)
The Data Subject can tell you to erase their information and you must do so unless you have a good reason (from among the options set out in GDPR) to retain it.
Restriction of Processing
The Data Subject can restrict your processing of their data if there is an unresolved question of its accuracy, and in some other specified situations.
In certain cases (mainly where the Data Subject has signed up to online services), they can have their data transferred directly to another provider.
As now, the Data Subject has the right to stop you from sending them any direct marketing, and you must make sure they know about this right. If you currently send email campaigns, you need to make sure your audience has opted in to receive information, and that you have a record of when and where that person opted in. (To prove it was a person and not a ‘bot’, a ‘double opt-in’ is required). This may mean re-opting in all the people on your mailing list before May next year.
Profiling & Automated Decision-Making
There is a new right giving people the right, in some cases, to prevent “a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her’.
Complaints and Compensation
Data Subjects have the right to complain to the ‘supervisory authority’ – i.e. the Information Commissioner – and have the complaint investigated.
Data Sharing with Other Organisations
If you process personal data as part of work in collaboration with other organisations, then both or all organisations are likely to be joint Controllers. Under GDPR you can’t pass the buck between processor and controller. Each business is responsible for upholding the same standards, and you’ll want to work with businesses who are GDPR-compliant. You must set out ‘in a transparent manner’ your respective Data Protection responsibilities, and to make the ‘essence’ of the arrangement available to your Data Subjects. Data Subjects may exercise their rights against any of the joint Controllers.
Work with relevant partners who may collect data on your organisation’s behalf to assign responsibility for notice review, update and approval. You need to review all your collaborative projects and activities to ensure that, where applicable, your agreements are clear on each party’s Data Protection responsibilities.
Controllers and processors are also required to ensure anyone acting under their authority accessing the personal data, does so only in accordance with their instructions. Compliance may (but does not have to) be demonstrated by adherence to an approved code of conduct or certification mechanism.
Controllers and processors should agree to report to other controllers or processors that are involved in the same processing, any relevant compliance breaches and any complaints or claims received from relevant data subjects. They should agree on their respective obligations for data protection compliance, their respective liabilities for data protection breaches and mechanisms for resolving disputes regarding respective liabilities to settle compensation claims.
Assign responsibility and budget for data protection compliance within your organisation. Whether or not you decide to appoint a Data Protection Officer (DPO), (or have to) the GDPR’s long list of data governance measures necessitates ownership for their adoption being allocated within an organisation.
Ensure that a full compliance programme is designed for your organisation, incorporating features such as: Privacy Impact Assessments (PIAs), and regular audits of data, data protection updates, and training/awareness raising programmes.
Monitor the publication of supervisory authorities/EU and industry published supplier terms and codes of practice to see if they are suitable for use by your organisation. If you are a supplier, consider the impact of the GDPR’s provisions on your cost structure and responsibility for signing off the legality of your customer’s activities.
Implement measures to prepare records of your organisation’s processing activities. If you are a supplier develop your strategy for dealing with customer requests for assisting with the development of such records.
Teamwork not just IT
You should establish a GDPR compliance team with the necessary skills and experience to develop; implement and coordinate a compliance plan. Initially this will mean analysing existing data processing activities across the organisation’s employment lifecycle to identify high-risk areas.
Develop a timeline to implement a GDPR compliance programme.
- Carry out a risk assessment (PIA) and then act on the results:
- Document all current processes and data flows
- Analyse any potential areas of weakness or vulnerability
- What personal data you hold and why?
- Where it came from?
- Who you share it with?
- Business relationships with service providers, data providers and contractors and ensure they are GDPR compliant.
- Identify the lawful basis for your processing activity.
- Review/establish processes for seeking, recording and managing consent and refresh consents if they do not comply with GDPR.
- Document the procedure in place to detect report and investigate personal data breaches and audit them.
- Document and review procedures for communicating privacy; dealing with individuals rights re erasure, subject access requests, objections; transfer of data etc.
- Make someone responsible for managing GDPR and data strategy.
- Add opt-ins to all your digital marketing, and ensure you get a double opt in.
- Restrict access to personal data to only those who need to have access to it.
- Ensure you have up to date security systems, such as firewalls, backups, encryption and authentication and test them on a regular basis.
- Explain to users, in plain language, what data you’re holding, how long you’re holding it for, and how users can withdraw their consent. Your policy has to be simple, appropriate, and contain all the required information.
- Develop a detailed breach response plan, including when to notify regulators and individuals, as well as how to handle data breaches from a media perspective.
- Consider making financial provision to handle transitional costs, any data breaches and taking out insurance to cover data breaches.
- Keep records of any data breaches, what data was compromised and how the breach was dealt with as well as what steps are being taken to ensure that type of breach does not re-occur.
We are not saying that this is all you need to know about Data Protection, but if you address these issues it is likely that you will have covered all the most important matters.
Please feel free to ask any questions of our Consultants who would be pleased to advise on any element of this newsletter.