GDPR Legal Advice

GDPR Legal Advice

Most, if not all, organisations process personal data to some degree.  Currently, this is governed by the Data Protection Act 1998, however as part of the European Commission’s attempts to ‘make Europe fit for the digital age’, data protection has undergone significant reform.  In April 2016, the European Parliament approved the General Data Protection Regulation (GDPR); this is due to become effective in the UK in May 2018.

Its implementation will precede the UK’s exit from the EU, therefore regardless of Brexit negotiations there will be a period of time where GDPR will apply in the UK. It is likely that following Brexit, UK law will more or less mirror GDPR going forward.

GDPR introduces, in some areas, significant reforms to the data protection landscape in Europe and organisations have until 25 May 2018 to prepare - failure to do so could lead to penalties of up to the greater of 4% of turnover or €20M.

Our Data Protection and GDPR Hub provides an overview, updates and insights into what GDPR means for organisations within the UK. 

We hope this information is helpful, however if you need further assistance in getting GDPR ready, our expert Data Protection and Information Security Team are ready to provide practical and commercial advice. Call us on 01382 229111 to find out more or complete our online enquiry form and we will contact you.

GDPR Broken Down

Here we answer your GDPR questions and provide guidance to ensure your organisation is compliant.

What does GDPR mean for employers?

High level implications for employers as regards its relationship with its employees:

  • Sanctions for mishandling personal data of staff: increased from a maximum of £500K to the greatest of (up to) 4% of annual turnover or €20M. 
  • Appointment of Data Protection Officer: may need to create a new role within organisation if: (i) the employer is a public authority; (ii) the core activities require regular and systematic monitoring of data subjects on a large scale; or (iii) the core activities consist of processing on a large scale of special categories of data (formerly sensitive personal data), criminal convictions and offences.  The responsibilities of the DPO are extensive and require a sound working knowledge of GDPR.  The role can be contracted out. For more information on DPOs.
  • Information given to employees when collecting personal data: must be concise, intelligible and communicated by means likely to be noticed and read by employees.   The extent of information to be provided to employees informing them of how the employer will handle their personal data has increased.  For example, employers will need to inform employees at the point of data collection how long the data will be stored, the rights employees have over their data, how to lodge a complaint with the ICO etc.  Employers’ ought to review their information notices and amend as necessary to reflect GDPR requirements.
  • Consent and basis for processing:  most employers rely on employee consent as basis of processing.  GDPR states that consent must be ‘freely given’.  It is arguable that employee consent is not ‘freely’ given where refusal to do so would put them under pressure from their employer.  Also GDPR allows employees to withdraw consent at any time.  In effect, GDPR will make it much harder to rely on consent as a basis for processing employee personal data and employers should consider other means to legitimise processing.
  • Accountability & Privacy By Design: compliance in itself with GDPR is not sufficient.  Employers must be able to demonstrate compliance by having appropriate policies, procedures, privacy impact assessments and training in place (as appropriate).  Its approach to data protection must be designed reflective of risk.  For more information on privacy by design please see.
  • Prevents Automated Decision Making: employees can object to being the subject of a decision made solely by automated decision making, which produces legal effects for that employee.  This could apply to decisions surrounding performance management, sickness, bonuses etc.  Employers should consider other methods to make such decisions so that it is not solely relying on automated decision making. 
  • Data Subject Rights:  GDPR expands rights of data subjects to include e.g. right to be forgotten, right to portability, right to prevent customer profiling.  Employers can no longer charge to deal with subject access requests.  Time frame for responding has changed from 40 days to 1 month.  This will result in added pressure for employers when responding to DSARs and it is recommended that sufficient training is put in place to enable relevant employees to respond to a wider scope of requests from data subjects within a shorter time period.

What is a Data Protection Officer and which organisations require them?

Organisations will require to appoint a Data Protection Officer if they fall into one of the following categories:

  • public authority (except from courts acting in their judicial capacity) e.g. a University or Local Council;
  • an organisation whose core activities involve data processing which require regular and systematic monitoring of data subjects on a large scale e.g. a large insurance firm;
  • a company whose core activities consist of processing special categories of data or personal data relating to criminal convictions and offences, on a large scale; or
  • the Member State in which they are based requires it e.g. Poland.

Organisations which do not fall into any of the above categories can choose to voluntarily appoint a DPO.  However it seems unlikely that organisations will do so as even voluntarily appointed DPOs will have to adhere to the DPO’s obligations under the Regulation.

The Article 29 Working Party recommends that organisations keep a record of their internal analysis undertaken to determine whether a DPO is necessary to appoint or not.  A fine of up to 4% of annual worldwide turnover or €20M could be issued by the ICO for those organisations which require a DPO but fail to appoint one.

GDPR sets out a minimum set of tasks attributed to the DPO.  This includes (a) informing and advising the organisation and employees of GDPR and associated laws; (b) monitoring compliance with the GDPR and associated laws and the organisation’s policies and procedures, assigning responsibilities within the organisation and training staff involved in processing and audits; (c) provide advice regarding data protection impact assessments and monitor performance; (d) liaise with supervisory authority e.g. ICO; and (e) to act as the contact point for the supervisory authority on issues relating to processing.

The role demands expert knowledge of data protection and can be contracted out if necessary.  It does not necessarily have to be a full time role, and provided there is no conflict of interest, the DPO can perform other tasks within the organisation.

The DPO must have access to top levels of management and must be involved, properly and in a timely manner in all areas which relate to the protection of personal data.  The role has protected status and DPOs cannot be dismissed or penalised for performing their role.  It is important that organisations designate time, funding and the necessary support to the DPO to allow them to fulfil their role. 

The Article 29 Working Party has issued guidance on DPO’s which can be found here.

What is the new Accountability obligation on Data Controllers?

GDPR introduces a new positive obligation on Data Controllers to be able to demonstrate compliance with 6 data processing principles.  This is called the ‘Accountability’ obligation.  In practice, this means that it is not simply enough to process personal data in accordance with the principles; Data Controllers need to be able to demonstrate that they do so.

Compliance with this obligation is very much linked to complying with GDPR as a whole.

Organisations must review its processing requirements and design its approach to GDPR around those; part of this may include appointing a DPO, setting up a clear compliance structure, allocating responsibility for compliance among staff, provision of training, regular data audits, undertaking privacy impact assessments where appropriate, liaise with ICO (again where appropriate) etc. and all of this activity should be recorded on an ongoing basis so as to evidence compliance.  It may be possible in the future to demonstrate compliance by signing up to a Code of Practice or becoming certified however, the viability of this option is currently unclear.

Unlike the DPA, a controller is no longer required to notify the ICO of the organisation’s processing activities, under the GDPR.  However, that information which would previously have been required to have been reported is still required to be recorded by the organisation. Organisations are also under an express obligation to keep certain records of its specific processing activities.  The size of your organisation will impact the level of records you require to keep. 

If your organisation has more than 250 employees then you must maintain comprehensive internal records of processing activities. These include:

  1. contact details of the Data Controller and where applicable, the joint controller and any Data Protection Officer;
  2. purposes of processing;
  3. a description of the categories of data subjects and the categories of personal data;
  4. a description of the recipients to whom personal data have been or will be disclosed;
  5. any transfers of personal data to a third country or an international organisation;
  6. where possible, the envisaged time limits for erasure of different categories of data;
  7. where possible, a general description of the technical and organisational measures adopted.

Data Processors must also keep records of its processing activities similar to the above.

If your organisation has fewer than 250 employees, it will only require maintaining such records where data processing activities relate to higher risk or frequent processing activities or processing which involves sensitive personal data or criminal convictions. However, where smaller organisations decide that they are not required to keep the foregoing records on the basis its processing does not fall within the categories where it would be required, it is advisable that they keep an accurate record of the internal analysis conducted to determine such a conclusion.

The ICO has wide investigative powers under GDPR and can request to see an organisation’s records. Therefore it is important that accurate and up-to date records are kept so that such a request can be easily complied with and evidence GDPR compliance. 

What is ‘Privacy by Design and Default’ and what does this mean for my organisation?

The current law obliges data controllers to adopt ‘appropriate technical and organisational measures’ to protect against unauthorised or unlawful processing of its personal data and against accidental loss or destruction of, or damage to, its personal data.  The measures adopted ought to reflect the state of technological developments available, implementation costs, nature of data and possible risks.  

GDPR builds on the current law by widening the scope of issues organisations must take into consideration when deciding which measures are appropriate for them.  In addition to what is currently required (see above), organisations’ technical and organisational measures must be designed to achieve the following objectives:-

  1. compliance with the data protection principles (e.g. data minimisation);
  2. compliance with the wider obligations of GDPR;
  3. reflective of the nature, scope, context and purposes of the processing; and
  4. reflective of any risks to the rights and freedoms of the data subjects posed by such processing. 

Designing measures tailored to these issues is collectively known, under GDPR, as ‘privacy by design’.  The practical measures adopted will vary among organisations, albeit there is a mandatory default position (‘privacy by default’); the technical and organisational measures adopted by organisations must ensure that, by default, only personal data which is absolutely necessary is processed.  This means that organisations must, as a minimum, put in place measures to ensure that they do not collect unnecessary data, do not process unnecessary data, do not keep data for longer than necessary and access to the data should be limited to those who have a legitimate reason to access it.

An important element to these issues is that GDPR requires some forethought.   The concept of designing your organisation’s technical and organisational measures around the relevant issues at hand should be undertaken at the earliest opportunity when considering processing data, and also later, when you are actually processing the data. 

What does this mean for your organisation?

It is likely that even organisations that currently deploy good data management practices, will fall short of GDPR requirements.  Organisations ought to review the measures it adopts and consider whether its practices reflect the requirements of GDPR and if not, what needs to be improved.  This could be done as part of a wider project of getting GDPR ready.

It is also very important to educate and provide training for key members of staff who are involved in processing personal data on behalf of your organisation so that issues can be identified going forward, particularly prior to launching a new service which may impact data management (when you may wish to undertake a Privacy Impact Assessment).  The principal of privacy by design should be a constant and evolving consideration for every organisation.

While at first glance this obligation may appear burdensome, it will hopefully allow organisations to identify and deal with risks at the earliest opportunity, which is likely to lead to reduced risk of enforcement action for organisations and better protection of rights for data subjects.

We rely on consent to process personal data. How does GDPR affect this?

Relying on consent obtained prior to GDPR will continue to be a valid basis upon which to process data post-GDPR, provided such consent meets the requirements of GDPR.  Organisations should review the basis upon which consent was obtained against GDPR requirements and consider whether fresh consent needs to be obtained or alternatively, identify whether processing can be legitimised by other means.

So what constitutes consent under GDPR?

Under GDPR, consent must be freely given, specific, and an informed and unambiguous indication of the individual’s wishes, by which he or she, by a statement or by a clear affirmative action (e.g. opt-in boxes), signifies agreement to the processing of personal data relating to him or her.  Consent must not be tied to anything else such as service delivery and individuals must be able to withdraw it at any time.

This means that opt-out or deemed consent, such as silence, pre-ticked boxes or inactivity, will not be acceptable.  Instead, the ICO recommends that organisations ensure that its consent mechanisms are specific, granular, clear, prominent, opt-in, documented and easily withdrawn. Some key things to think about are:

  • Unbundled: consent should not generally be a precondition of signing up to a service.
  • Active opt-in: pre-ticked opt-in boxes are invalid.
  • Granular: provide options to consent to different types of processing.
  • Named: name your organisation and any third parties who will be relying on consent.
  • Ability to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. Provide an easy and quick way for people to exercise this right.

In some situations, consent will also have to be ‘explicit’.  Examples include where an organisation processes ‘special categories of data’ (currently understood as ‘sensitive personal data’); or if it wishes to rely on consent to justify transferring personal data to a third country; or it wishes to legitimise automatic decision making.  Explicit consent needs to be expressly confirmed by words as opposed to other affirmative action, which may otherwise be acceptable.

Organisations will also need to keep records evidencing that consent has been obtained, including what they were told and when and how they consented.   Behind the scenes mechanisms will need to be put in place to manage consent withdrawal.

Consent is only one lawful basis for processing and organisations should consider whether it is the most appropriate basis on which to legitimise processing or if another is more appropriate.  If consent is a condition of service or your organisation is in a position of power over the individual, then consent will most likely not be the most appropriate processing condition as you cannot offer the individual a genuine choice or control over how their data is processed.  In such scenarios, organisations should consider relying on another ground to process data. 

We process sensitive personal data. How does GDPR affect this?

The concept of sensitive personal data in the GDPR is similar to that of the DPA. However it has been rebranded as ‘special categories of personal data” and the definition has been expanded so as to explicitly cover biometric and genetic data where used to identify a natural person. It no longer covers criminal convictions under the special category banner – this is dealt with separately.  Processing of criminal convictions and offences can only be processed under the control of official authority or where authorised by applicable Union or Members State law.  

GDPR states that special categories of personal data shall not be processed unless certain requirements are met – these are set out in Article 9(2) of the GDPR.  The requirements – one of which must be met in order to process such data – are fairly similar to those set out in Schedule 3 of the DPA, however there are some subtle differences and Member States have the ability to introduce new provisions regarding the processing of genetic, biometric or health data.  

Organisations should familiarise themselves with the new definition of sensitive personal data, as well as review their current practices for processing such data to ensure that they fall in line with the updated processing conditions.  

If organisations are relying on explicit consent to process this type of data, it should review GDPR’s requirements about consent to make sure it meets those.   Please click here to read our commentary on consent under GDPR.

If your organisation processes genetic, biometric or health data, it would be worth keeping an eye on further developments in this area as Member States do have the ability to introduce new provisions in this regard.  

Lastly, if organisations are processing sensitive personal data on a large scale, they are likely to require to appoint a DPO.  Please click here to read our commentary about DPOs.

Our organisation processes data of children. Will GDPR affect this?

GDPR has introduced specific protection with regard to the processing of data of children, who are identified as “vulnerable individuals” deserving of “specific protection”. Broadly, GDPR will impact the processing of children’s data by the following means:

  • Parental Consent for Online Service: if your organisation targets online services at children and the processing condition relied upon is consent then, following GDPR, such consent will only be valid if the child is at least 16 years old or if consent is provided by someone who has parental responsibility over that child. Member States have some discretion in relation to the age a person is considered to be a child in so far as they may lower it provided it is not lowered beyond 13 years.  It has been reported that the UK may consider lowering the age to 13 years. 

This will present certain practical difficulties for organisations in terms of how they verify that consent is given or authorised by someone with parental responsibility as opposed to a child pretending to be the parent.  It is easy to identify circumstances where relying on online consent to process data relating to a child from someone with parental responsibility could be open to challenge.

Organisations ought to review the basis upon which they process children’s data and identify if they are valid under GDPR.  Even where consent is valid, such consent can be withdrawn at any time.  Organisations would be wise to consider whether there is an alternative legal basis for processing which may be more suitable.

  • Privacy Notices: privacy notices and information directed at children must be written in clear and plain language that they can easily understand.
  • Profiling and Automated Decision Making: GDPR contains restrictions on decisions based solely on automated processing and profiling if the decisions significantly affect the data subject. One restriction is that such measures should not be used when concerning children.

Organisations should also be aware that Member States, the EDPB and the Commission are encouraged to create codes of conduct in relation to the personal data of children. This may result in additional requirements being imposed following the implementation of such codes.

The ICO are due to publish further information on children’s personal data this year.

How does GDPR impact our relationship with our suppliers?

Many organisations outsource different aspects of their businesses, such as human resources or accounting. In these circumstances, while the organisation which has instructed the work will remain the data controller, the outsource organisation, carrying out the functions, will be the data processor.  Data controllers, however, will no longer be the only to face legal repercussions for infringement of data protection laws, with both controllers and processors being potentially liable to individuals for non-compliance with the data principles under GDPR.  Outsource companies will therefore have more onerous obligations placed upon them.

In their role as data processors, outsource companies will also be subject to the new accountability rules.  This will require outsource companies to carefully consider their record keeping obligations and their procedures for conducting the necessary risk assessments so that they will not be subject to the new increased penalties.  These additional requirements may result in significantly higher costs to outsource companies in conducting their work than previously incurred, which in turn is likely to have a knock on effect on organisations seeking to outsource, in their negotiations.  Costs for engaging outsource companies are likely to increase to reflect the increasing internal costs, as well as the additional liability that they will have towards data subjects.  

Furthermore, outsourcing activities which extend outwith the EEA will invoke supplementary considerations for organisations.  Should the outsource organisations have servers outside of the EEA or indeed be situated elsewhere, then the data subjects will require to be informed of this.  The data controller will also have to ensure that the outsource company adheres with the stringent GDPR requirements, possibly over and above those data protection requirements within their own country.

Although outsource companies will carry their own liability, it is for the organisations who outsource as data controllers, to make sure that the outsource organisations are fully aware of the obligations placed upon them.  Data controllers should ensure that their data processors are familiar with their reporting obligations, such as the need for notification of any breach as soon as possible so that they, as controllers, can comply with their requirement to inform the ICO within 72 hours. It is advisable to factor this requirement for reporting and an agreed timescale in to any agreements between organisations and outsource companies at the outset.

Organisations who do currently instruct outsourcing activities should consider reviewing their existing agreements. Current contracts between parties may need to be renegotiated in light of the changes as this will be crucial in establishing the data processor’s obligations and liabilities once the GDPR enters into force.

What rights and remedies do data subjects have under GDPR?

The rights for data subjects contained in the GDPR broadly reflect and expand on those in the DPA with some new rights also being created. The GDPR represents fair and transparent procedures in relation to processing data. The GDPR increases the amount of information organisations need to provide to data subjects when obtaining information from them and also gives individuals a right of access to information held without charge. There is a requirement for organisations to rectify any incorrect data and, in certain situations, the right for individuals to have data deleted (commonly referred to as “the right to be forgotten”).

In addition to expanding on rights contained in the DPA, the GDPR also introduces the new right of data portability. This allows data subjects to request and reuse data held and to instruct the transfer of this data from one controller to another. This transfer can be completed by the data subject themselves or between controllers directly. Part of the reasoning behind this right is to allow data subjects to transfer between service providers more easily. This new right may require organisations to put new procedures in place to deal with the transfer of information. Furthermore it may create a more competitive environment between organisations as subjects can now move their data freely between controllers.

If the rights of a data subject are infringed, there are a number of ways in which this can be remedied.

Data subjects have the right to lodge complaints to the supervisory authority of the Member State in which they reside or the Member State in which the controller and/or processor is established. The supervisory authority must keep the individual informed of developments throughout the process and notify them of the progress or outcome of a complaint within three months. If the result of the supervisor authority’s investigation is not satisfactory, the data subject may be able to refer the matter for judicial review.  

The GDPR allows for both the controller and the processor to be held liable, unlike the DPA where only the controller had liability. Additionally, in the event controllers or processors are involved in the same processing, the data subject may seek damages from only one party, with that party then recovering damages from the other.

The GDPR allows data subjects to appoint representatives to bring proceedings on their behalf as well as the possibility for data subjects to enter into class action claims. Each Member State will determine the level of fines imposed, in line with the new significantly inflated maximum fines under the GDPR, as well as if criminal sanctions are appropriate.

The GDPR puts the power into the hands of the data subjects and the onus on organisations to justify their processing. Organisations will need to consider the information that they currently provide data subjects with and whether this is sufficiently detailed to provide data subjects with all the facts that they are entitled to know. Procedures will also have to be reviewed to ensure that data can be transferred, deleted, restricted or rectified efficiently and that the data held by organisations has been obtained and processed in the correct way.

Requirement to notify breaches to the Supervisory Authority

If a personal data breach is likely to risk the rights and freedoms of the data subject then the relevant supervisory authority, the ICO in the UK, must be notified. A personal data breach is defined by the ICO as, ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’

Each breach should be assessed individually to determine whether the event ought to be reported. If it is determined that it ought to be reported, this should be done within 72 hours of becoming aware of the breach, failing which the relevant organisation will need to justify the delay. Significant fines of up to 10 million Euros or 2 per cent of an organisation’s global turnover can be imposed for failing to inform the supervisory authority.

In certain circumstances the organisation will also be required to inform the individual concerned; this is where the breach presents a ‘high’ risk to the individual’s rights and freedoms.

It is recommended to give some forethought as to what your organisation would do in the event of a data security breach and put in place a plan to ensure any breach is dealt with in a fast and effective manner.  Any such plan would include execution of any available organisational and technological workarounds to stem the breach, notification of the breach to ICO/individuals concerned and also how publicity ought to be handled.  This will assist in minimising harm not only to the individual concerned but also to the organisation.

What investigative and corrective powers will the ICO have?

As far as the UK is concerned, the ICO is likely to be the Supervisory Authority under GDPR.

Currently, the ICO has the ability to impose a fine on organisations for non-compliance with data protection laws of up to £500,000.  In contrast, the GDPR will have a two tier penalty system in relation to fines.  In the top tier, the ICO will be able to issue fines of up to 4% of annual worldwide turnover or €20M, whichever is greater.  This will be applicable in such situations as where an organisation has failed to comply with any of the 6 general principles, such as failing to process data in accordance with the rights of the data subject.  In the second tier, for such failures as not notifying the ICO of a personal breach or not putting in place an adequate contract with a processor, fines could be up to 2% of worldwide annual turnover or €10M, whichever is the greater.

In addition to fines, the ICO also has a wide range of investigative and corrective powers available to them to deal with potential data breaches.  Its investigative powers include the ability to request disclosure of any information from an organisation and access to relevant property and equipment, data protection audits and reviews, all of which the organisation must cooperate fully with.

If following its investigation it identifies practices of non-compliance with the GDPR (or practices which are likely to infringe the GDPR), the ICO has a range of powers it may exercise.  In addition to a fine discussed above, these can include: 

  • warnings;
  • reprimands;
  • an order to comply with data subject’s requests;
  • an order to rectify non-compliance and bring practices into compliance with the GDPR within a specified time frame;
  • order to controller to communicate data breach to data subject;
  • imposition of a temporary or definitive limitation or ban on processing;
  • an order regarding the rectification or erasure of personal data or restriction of processing and notification of such actions to recipients of personal data;
  • an order suspending data flows to a recipient in a third country or to an international organisation.

Before using any corrective powers, the ICO will consider such aspects as the gravity of the breach, the intention behind the action taken by the organisation, steps taken by the organisation to mitigate the breach, as well as if there has been any financial benefit derived from the breach.  It is recommended that organisations keep a thorough paper trail as to their approach to GDPR compliance, which could prove useful in the event of a breach. 

The wide breadth of sanctions and enforcement powers of the ICO make it all the more important that organisation prepare themselves for compliance with the GDPR.

What is the European Data Protection Board?

The European Data Protection Board (the “Board”) is the independent supervisory authority, at EU level, which will replace the current Article 29 Working Party. The Board will be a body of the European Union with its own legal personality, Chair and Secretariat.

Similarly to the Working Party, the Board will be composed of the head of the Supervisory Authority for each Member State and the European Data Protection Supervisor. The Commission shall also have the right to participate in and be kept up to date with the Board’s activities although it shall have no voting rights.   This is a key requirement to ensure the independence of the Board.

GDPR sets out the tasks of the Board in detail.  Generally, the remit of the Board is to ensure the consistent application of GDPR among Member States.  In doing so the Board  shall promote cooperation between supervisory authorities, issue opinions to supervisory authorities, settle disputes among supervisory authorities, provide training, issue guidance for controllers and processors etc.

The Board’s work is similar in many respects to the Article 29 Working Party however it is expected the Board will have greater force.    

Useful Information

We receive many questions about Data Protection rules and regulations. Here are some links to other useful sources of information.

A Practical Guide to Approaching GDPR

Download your free guide

Contact us

If you would like us to call you, complete our quick call back form below.

Meet The Experts

Our Data Protection and Information Security team are ready to provide practical and commercial advice

Our Legal Experts

Our Local Offices

We have offices across Scotland, offering legal advice and property services

View All Offices

Anstruther

+44(0)1333 314395

Arbroath

+44(0)1241 872683

Cupar

+44(0)1334 652285

Dundee

+44(0)1382 229111

Edinburgh

+44(0)131 225 8705

Forfar

+44(0)1307 466886

Kirkcaldy

+44(0)1592 268608

Montrose

+44(0)1674 673444

Perth

+44(0)1738 621212

St Andrews

+44(0)1334 477107

We use cookies on this website. By continuing to use the website, you are agreeing to our use of cookies. Find out how to manage cookies here or Accept & hide message