On 25 May 2018, the General Data Protection Regulation (GDPR) will become effective in all EU member states and will apply to all organisations operating in the EU (including non-EU organisation who provide goods or services to individuals in the EU). The expectation of the GDPR is that organisations will be fully compliant on that date. There will be no grace period.
In recent months the GDPR has been a popular topic for blogs and articles. Much of the focus has been on the increased compliance burden (imposed on organisations) and the associated financial penalties for data protection breaches.
A lot of the coverage and commentary has been classified as “scaremongering” and as an attempt to induce organisations into paying unscrupulous “advisers” to make them GDPR compliant by 25 May 2018 or risk the Information Commissioner’s Office (ICO), the relevant regulator in the UK, imposing fines of up €20 million for minor infringements.
In fact, the misinformation reached such a “pitch” that the ICO released a statement branding the GDPR as an evolution in data protection, rather than a revolution. This implies that if an organisation is compliant with the Data Protection Act 1998 (DPA) it will be largely compliant with the GDPR.
Whilst it is widely accepted that compliance with the current legislation is a good starting point, organisations should not underestimate the amount of work that may be required to become GDPR compliant, and to maintain that compliance on an ongoing basis.
With 25 May fast approaching, this article considers, with reference to the ICO’s 12 practical steps to take now, some of the key considerations which organisations should be thinking about in anticipation of that date.
One of the key aims of the GDPR is to promote data protection being considered at board level. It is therefore essential that organisations make their directors and key decision makers aware of the changes under the GDPR and its impact.
2. Information Review
Under the GDPR organisations are required to keep accurate records of their processing activities. Each organisation should conduct an information review to identify: (a) what personal information it currently holds; (b) how the information is used; (c) how the information is collected; (d) how the information is stored; and (e) what information is shared with third parties (if any). Knowing what information is held and its origin enables inaccuracies to be corrected and communicated to those with whom the personal data has been shared so that their records can also be updated.
Conducting this review will also enable you to demonstrate how your organisation complies with the data protection principles.
The GDPR requires that additional information be communicated to individuals when their personal information is collected. For example, an explanation outlining the lawful basis on which you have to process their information and how long their information will be kept.
You should review your current policy to identify what additional information needs to be communicated to individuals.
4. Individuals’ Rights
The GDPR expands the rights afforded to individuals, such as the right to erasure of personal data and the right to portability of personal information. Your current policies should be reviewed to ensure they cover the enhanced rights.
5. Data subject access requests
You should ensure that you implement procedures to deal with requests from data subjects (the individuals to whom the personal information relates) to access information you hold on them. The time line to provide their information has been reduced from 40 days to one month. You may be entitled to refuse a request for access, however, you will need to demonstrate that the request was excessive or unfounded. You will have to explain to the data subject why you are refusing the request and inform them that they may make a complaint to the supervisory authority.
6. Lawful basis for processing information
Under the GDPR you must have and you must communicate to the data subject the lawful basis for which you are processing their personal information. For example, one of the following must be applicable for your processing activity:
- consent – the data subject has given clear, explicit consent for you to process their personal information for a specified purpose.
- contractual necessity – the processing is necessary for the performance of a contract with the data subject.
- legal obligation – the processing is necessary for you to comply with the law.
- vital interest – the processing is necessary for the protection of the data subject’s vital interests (e.g. to protect life).
- public interest – the processing is necessary for you to perform a task which is in the public’s interest (e.g. tasks carried out by public authorities).
- legitimate interest – the processing is necessary for your legitimate interests or the legitimate interests of a third party provided that such legitimate interests are not overridden by the rights or freedoms of the data subject.
The requirements of consent under the GDPR are more onerous than under the DPA. Under the GDPR consent must be freely given, specific, informed and be an unambiguous indication (either by a clear statement or other affirmative action) that the data subject is agreeing to the processing of their personal information. Consent should also be as easy to withdraw as it is to give. Pre-ticked boxes, inactivity or silence will not infer consent under the GDPR.
You should review your current policy to establish whether you will need to update the way in which you obtain, record and manage consent.
Consent cannot be given by any child under the age of 13 (in the UK). Where a child is under the age of 13 you will need to obtain consent from a person holding ‘parental responsibility’. Consequently, you may need to implement a system to confirm data subjects’ age and obtain parental consent where necessary.
9. Breach notification
The GDPR requires that certain data breaches are reported to the ICO. For example, you must notify the ICO of a data breach where such a breach is likely to cause a risk to the rights and freedoms of the individuals. You should establish and implement adequate procedures to detect, investigate and report data breaches.
10. Data Protection Impact Assessment
The GDPR requires organisations to adopt a “data protection by design and by default” approach. This means that companies will be under a specific obligation to consider data protection at the initial stages of any data processing and throughout the data processing lifecycle. Integral to data protection by design is the data protection impact assessment (DPIA) which will assist you with ongoing compliance with your data protection obligations.
A DPIA will be mandatory where there is an increased likelihood of risk to individuals, for example:
- where new technology is being deployed; or
- large scale processing of so called special categories of information.
- Data Protection Officer
The GDPR requires certain organisations to formally appoint a data protection officer (DPO). For example, you must appoint a DPO if:
- you are a public authority;
- your core business actively consists of processing operations which require regular and systematic monitoring of data subjects on a large scale;
- you carry out large scale processing of “special categories” of data (i.e. highly sensitive information such as information about ones health or political affiliation or criminal convictions).
Even if you are not obligated under the GDPR to formally appoint a DPO you should at least designate someone to take responsibility for the organisation’s data protection compliance.
11. Lead data protection authority
Organisations which operate in more than one EU member state will need to decide who their lead data protection supervisory authority will be. The lead supervisory authority will have primary responsibility for international/cross-border data protection matters.
For further information, please contact Richard Collis