Most, if not all, organisations process personal data to some degree. Currently, this is governed by the Data Protection Act 1998, however as part of the European Commission’s attempts to ‘make Europe fit for the digital age’, data protection has undergone significant reform. In April 2016, the European Parliament approved the General Data Protection Regulation (GDPR); this is due to become effective in the UK in May 2018.
Its implementation will precede the UK’s exit from the EU, therefore regardless of Brexit negotiations there will be a period of time where GDPR will apply in the UK. It is likely that following Brexit, UK law will more or less mirror GDPR going forward.
GDPR introduces, in some areas, significant reforms to the data protection landscape in Europe and organisations have until 25 May 2018 to prepare - failure to do so could lead to penalties of up to the greater of 4% of turnover or €20M.
Our Data Protection and GDPR Hub provides an overview, updates and insights into what GDPR means for organisations within the UK.
We hope this information is helpful, however if you need further assistance in getting GDPR ready, our expert Data Protection and Information Security Team are ready to provide practical and commercial advice. Call us on 01382 229111 to find out more or complete our online enquiry form and we will contact you.
Here we answer your GDPR questions and provide guidance to ensure your organisation is compliant.
High level implications for employers as regards its relationship with its employees:
Organisations will require to appoint a Data Protection Officer if they fall into one of the following categories:
Organisations which do not fall into any of the above categories can choose to voluntarily appoint a DPO. However it seems unlikely that organisations will do so as even voluntarily appointed DPOs will have to adhere to the DPO’s obligations under the Regulation.
The Article 29 Working Party recommends that organisations keep a record of their internal analysis undertaken to determine whether a DPO is necessary to appoint or not. A fine of up to 2% of annual worldwide turnover or €10M could be issued by the ICO for those organisations which require a DPO but fail to appoint one.
GDPR sets out a minimum set of tasks attributed to the DPO. This includes (a) informing and advising the organisation and employees of GDPR and associated laws; (b) monitoring compliance with the GDPR and associated laws and the organisation’s policies and procedures, assigning responsibilities within the organisation and training staff involved in processing and audits; (c) provide advice regarding data protection impact assessments and monitor performance; (d) liaise with supervisory authority e.g. ICO; and (e) to act as the contact point for the supervisory authority on issues relating to processing.
The role demands expert knowledge of data protection and can be contracted out if necessary. It does not necessarily have to be a full time role, and provided there is no conflict of interest, the DPO can perform other tasks within the organisation.
The DPO must have access to top levels of management and must be involved, properly and in a timely manner in all areas which relate to the protection of personal data. The role has protected status and DPOs cannot be dismissed or penalised for performing their role. It is important that organisations designate time, funding and the necessary support to the DPO to allow them to fulfil their role.
The Article 29 Working Party has issued guidance on DPO’s which can be found here.
GDPR introduces a new positive obligation on Data Controllers to be able to demonstrate compliance with 6 data processing principles. This is called the ‘Accountability’ obligation. In practice, this means that it is not simply enough to process personal data in accordance with the principles; Data Controllers need to be able to demonstrate that they do so.
Compliance with this obligation is very much linked to complying with GDPR as a whole.
Organisations must review its processing requirements and design its approach to GDPR around those; part of this may include appointing a DPO, setting up a clear compliance structure, allocating responsibility for compliance among staff, provision of training, regular data audits, undertaking privacy impact assessments where appropriate, liaise with ICO (again where appropriate) etc. and all of this activity should be recorded on an ongoing basis so as to evidence compliance. It may be possible in the future to demonstrate compliance by signing up to a Code of Practice or becoming certified however, the viability of this option is currently unclear.
Unlike the DPA, a controller is no longer required to notify the ICO of the organisation’s processing activities, under the GDPR. However, that information which would previously have been required to have been reported is still required to be recorded by the organisation. Organisations are also under an express obligation to keep certain records of its specific processing activities. The size of your organisation will impact the level of records you require to keep.
If your organisation has more than 250 employees then you must maintain comprehensive internal records of processing activities. These include:
Data Processors must also keep records of its processing activities similar to the above.
If your organisation has fewer than 250 employees, it will only require maintaining such records where data processing activities relate to higher risk or frequent processing activities or processing which involves sensitive personal data or criminal convictions. However, where smaller organisations decide that they are not required to keep the foregoing records on the basis its processing does not fall within the categories where it would be required, it is advisable that they keep an accurate record of the internal analysis conducted to determine such a conclusion.
The ICO has wide investigative powers under GDPR and can request to see an organisation’s records. Therefore it is important that accurate and up-to date records are kept so that such a request can be easily complied with and evidence GDPR compliance.
The current law obliges data controllers to adopt ‘appropriate technical and organisational measures’ to protect against unauthorised or unlawful processing of its personal data and against accidental loss or destruction of, or damage to, its personal data. The measures adopted ought to reflect the state of technological developments available, implementation costs, nature of data and possible risks.
GDPR builds on the current law by widening the scope of issues organisations must take into consideration when deciding which measures are appropriate for them. In addition to what is currently required (see above), organisations’ technical and organisational measures must be designed to achieve the following objectives:-
Designing measures tailored to these issues is collectively known, under GDPR, as ‘privacy by design’. The practical measures adopted will vary among organisations, albeit there is a mandatory default position (‘privacy by default’); the technical and organisational measures adopted by organisations must ensure that, by default, only personal data which is absolutely necessary is processed. This means that organisations must, as a minimum, put in place measures to ensure that they do not collect unnecessary data, do not process unnecessary data, do not keep data for longer than necessary and access to the data should be limited to those who have a legitimate reason to access it.
An important element to these issues is that GDPR requires some forethought. The concept of designing your organisation’s technical and organisational measures around the relevant issues at hand should be undertaken at the earliest opportunity when considering processing data, and also later, when you are actually processing the data.
What does this mean for your organisation?
It is likely that even organisations that currently deploy good data management practices, will fall short of GDPR requirements. Organisations ought to review the measures it adopts and consider whether its practices reflect the requirements of GDPR and if not, what needs to be improved. This could be done as part of a wider project of getting GDPR ready.
It is also very important to educate and provide training for key members of staff who are involved in processing personal data on behalf of your organisation so that issues can be identified going forward, particularly prior to launching a new service which may impact data management (when you may wish to undertake a Privacy Impact Assessment). The principal of privacy by design should be a constant and evolving consideration for every organisation.
While at first glance this obligation may appear burdensome, it will hopefully allow organisations to identify and deal with risks at the earliest opportunity, which is likely to lead to reduced risk of enforcement action for organisations and better protection of rights for data subjects.
Relying on consent obtained prior to GDPR will continue to be a valid basis upon which to process data post-GDPR, provided such consent meets the requirements of GDPR. Organisations should review the basis upon which consent was obtained against GDPR requirements and consider whether fresh consent needs to be obtained or alternatively, identify whether processing can be legitimised by other means.
So what constitutes consent under GDPR?
Under GDPR, consent must be freely given, specific, and an informed and unambiguous indication of the individual’s wishes, by which he or she, by a statement or by a clear affirmative action (e.g. opt-in boxes), signifies agreement to the processing of personal data relating to him or her. Consent must not be tied to anything else such as service delivery and individuals must be able to withdraw it at any time.
This means that opt-out or deemed consent, such as silence, pre-ticked boxes or inactivity, will not be acceptable. Instead, the ICO recommends that organisations ensure that its consent mechanisms are specific, granular, clear, prominent, opt-in, documented and easily withdrawn. Some key things to think about are:
In some situations, consent will also have to be ‘explicit’. Examples include where an organisation processes ‘special categories of data’ (currently understood as ‘sensitive personal data’); or if it wishes to rely on consent to justify transferring personal data to a third country; or it wishes to legitimise automatic decision making. Explicit consent needs to be expressly confirmed by words as opposed to other affirmative action, which may otherwise be acceptable.
Organisations will also need to keep records evidencing that consent has been obtained, including what they were told and when and how they consented. Behind the scenes mechanisms will need to be put in place to manage consent withdrawal.
Consent is only one lawful basis for processing and organisations should consider whether it is the most appropriate basis on which to legitimise processing or if another is more appropriate. If consent is a condition of service or your organisation is in a position of power over the individual, then consent will most likely not be the most appropriate processing condition as you cannot offer the individual a genuine choice or control over how their data is processed. In such scenarios, organisations should consider relying on another ground to process data.
The concept of sensitive personal data in the GDPR is similar to that of the DPA. However it has been rebranded as ‘special categories of personal data” and the definition has been expanded so as to explicitly cover biometric and genetic data where used to identify a natural person. It no longer covers criminal convictions under the special category banner – this is dealt with separately. Processing of criminal convictions and offences can only be processed under the control of official authority or where authorised by applicable Union or Members State law.
GDPR states that special categories of personal data shall not be processed unless certain requirements are met – these are set out in Article 9(2) of the GDPR. The requirements – one of which must be met in order to process such data – are fairly similar to those set out in Schedule 3 of the DPA, however there are some subtle differences and Member States have the ability to introduce new provisions regarding the processing of genetic, biometric or health data.
Organisations should familiarise themselves with the new definition of sensitive personal data, as well as review their current practices for processing such data to ensure that they fall in line with the updated processing conditions.
If organisations are relying on explicit consent to process this type of data, it should review GDPR’s requirements about consent to make sure it meets those. Please click here to read our commentary on consent under GDPR.
If your organisation processes genetic, biometric or health data, it would be worth keeping an eye on further developments in this area as Member States do have the ability to introduce new provisions in this regard.
Lastly, if organisations are processing sensitive personal data on a large scale, they are likely to require to appoint a DPO. Please click here to read our commentary about DPOs.
GDPR has introduced specific protection with regard to the processing of data of children, who are identified as “vulnerable individuals” deserving of “specific protection”. Broadly, GDPR will impact the processing of children’s data by the following means:
This will present certain practical difficulties for organisations in terms of how they verify that consent is given or authorised by someone with parental responsibility as opposed to a child pretending to be the parent. It is easy to identify circumstances where relying on online consent to process data relating to a child from someone with parental responsibility could be open to challenge.
Organisations ought to review the basis upon which they process children’s data and identify if they are valid under GDPR. Even where consent is valid, such consent can be withdrawn at any time. Organisations would be wise to consider whether there is an alternative legal basis for processing which may be more suitable.
Organisations should also be aware that Member States, the EDPB and the Commission are encouraged to create codes of conduct in relation to the personal data of children. This may result in additional requirements being imposed following the implementation of such codes.
The ICO are due to publish further information on children’s personal data this year.
Many organisations outsource different aspects of their businesses, such as human resources or accounting. In these circumstances, while the organisation which has instructed the work will remain the data controller, the outsource organisation, carrying out the functions, will be the data processor. Data controllers, however, will no longer be the only to face legal repercussions for infringement of data protection laws, with both controllers and processors being potentially liable to individuals for non-compliance with the data principles under GDPR. Outsource companies will therefore have more onerous obligations placed upon them.
In their role as data processors, outsource companies will also be subject to the new accountability rules. This will require outsource companies to carefully consider their record keeping obligations and their procedures for conducting the necessary risk assessments so that they will not be subject to the new increased penalties. These additional requirements may result in significantly higher costs to outsource companies in conducting their work than previously incurred, which in turn is likely to have a knock on effect on organisations seeking to outsource, in their negotiations. Costs for engaging outsource companies are likely to increase to reflect the increasing internal costs, as well as the additional liability that they will have towards data subjects.
Furthermore, outsourcing activities which extend outwith the EEA will invoke supplementary considerations for organisations. Should the outsource organisations have servers outside of the EEA or indeed be situated elsewhere, then the data subjects will require to be informed of this. The data controller will also have to ensure that the outsource company adheres with the stringent GDPR requirements, possibly over and above those data protection requirements within their own country.
Although outsource companies will carry their own liability, it is for the organisations who outsource as data controllers, to make sure that the outsource organisations are fully aware of the obligations placed upon them. Data controllers should ensure that their data processors are familiar with their reporting obligations, such as the need for notification of any breach as soon as possible so that they, as controllers, can comply with their requirement to inform the ICO within 72 hours. It is advisable to factor this requirement for reporting and an agreed timescale in to any agreements between organisations and outsource companies at the outset.
Organisations who do currently instruct outsourcing activities should consider reviewing their existing agreements. Current contracts between parties may need to be renegotiated in light of the changes as this will be crucial in establishing the data processor’s obligations and liabilities once the GDPR enters into force.
The rights for data subjects contained in the GDPR broadly reflect and expand on those in the DPA with some new rights also being created. The GDPR represents fair and transparent procedures in relation to processing data. The GDPR increases the amount of information organisations need to provide to data subjects when obtaining information from them and also gives individuals a right of access to information held without charge. There is a requirement for organisations to rectify any incorrect data and, in certain situations, the right for individuals to have data deleted (commonly referred to as “the right to be forgotten”).
In addition to expanding on rights contained in the DPA, the GDPR also introduces the new right of data portability. This allows data subjects to request and reuse data held and to instruct the transfer of this data from one controller to another. This transfer can be completed by the data subject themselves or between controllers directly. Part of the reasoning behind this right is to allow data subjects to transfer between service providers more easily. This new right may require organisations to put new procedures in place to deal with the transfer of information. Furthermore it may create a more competitive environment between organisations as subjects can now move their data freely between controllers.
If the rights of a data subject are infringed, there are a number of ways in which this can be remedied.
Data subjects have the right to lodge complaints to the supervisory authority of the Member State in which they reside or the Member State in which the controller and/or processor is established. The supervisory authority must keep the individual informed of developments throughout the process and notify them of the progress or outcome of a complaint within three months. If the result of the supervisor authority’s investigation is not satisfactory, the data subject may be able to refer the matter for judicial review.
The GDPR allows for both the controller and the processor to be held liable, unlike the DPA where only the controller had liability. Additionally, in the event controllers or processors are involved in the same processing, the data subject may seek damages from only one party, with that party then recovering damages from the other.
The GDPR allows data subjects to appoint representatives to bring proceedings on their behalf as well as the possibility for data subjects to enter into class action claims. Each Member State will determine the level of fines imposed, in line with the new significantly inflated maximum fines under the GDPR, as well as if criminal sanctions are appropriate.
The GDPR puts the power into the hands of the data subjects and the onus on organisations to justify their processing. Organisations will need to consider the information that they currently provide data subjects with and whether this is sufficiently detailed to provide data subjects with all the facts that they are entitled to know. Procedures will also have to be reviewed to ensure that data can be transferred, deleted, restricted or rectified efficiently and that the data held by organisations has been obtained and processed in the correct way.
If a personal data breach is likely to risk the rights and freedoms of the data subject then the relevant supervisory authority, the ICO in the UK, must be notified. A personal data breach is defined by the ICO as, ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’
Each breach should be assessed individually to determine whether the event ought to be reported. If it is determined that it ought to be reported, this should be done within 72 hours of becoming aware of the breach, failing which the relevant organisation will need to justify the delay. Significant fines of up to 10 million Euros or 2 per cent of an organisation’s global turnover can be imposed for failing to inform the supervisory authority.
In certain circumstances the organisation will also be required to inform the individual concerned; this is where the breach presents a ‘high’ risk to the individual’s rights and freedoms.
It is recommended to give some forethought as to what your organisation would do in the event of a data security breach and put in place a plan to ensure any breach is dealt with in a fast and effective manner. Any such plan would include execution of any available organisational and technological workarounds to stem the breach, notification of the breach to ICO/individuals concerned and also how publicity ought to be handled. This will assist in minimising harm not only to the individual concerned but also to the organisation.
As far as the UK is concerned, the ICO is likely to be the Supervisory Authority under GDPR.
Currently, the ICO has the ability to impose a fine on organisations for non-compliance with data protection laws of up to £500,000. In contrast, the GDPR will have a two tier penalty system in relation to fines. In the top tier, the ICO will be able to issue fines of up to 4% of annual worldwide turnover or €20M, whichever is greater. This will be applicable in such situations as where an organisation has failed to comply with any of the 6 general principles, such as failing to process data in accordance with the rights of the data subject. In the second tier, for such failures as not notifying the ICO of a personal breach or not putting in place an adequate contract with a processor, fines could be up to 2% of worldwide annual turnover or €10M, whichever is the greater.
In addition to fines, the ICO also has a wide range of investigative and corrective powers available to them to deal with potential data breaches. Its investigative powers include the ability to request disclosure of any information from an organisation and access to relevant property and equipment, data protection audits and reviews, all of which the organisation must cooperate fully with.
If following its investigation it identifies practices of non-compliance with the GDPR (or practices which are likely to infringe the GDPR), the ICO has a range of powers it may exercise. In addition to a fine discussed above, these can include:
Before using any corrective powers, the ICO will consider such aspects as the gravity of the breach, the intention behind the action taken by the organisation, steps taken by the organisation to mitigate the breach, as well as if there has been any financial benefit derived from the breach. It is recommended that organisations keep a thorough paper trail as to their approach to GDPR compliance, which could prove useful in the event of a breach.
The wide breadth of sanctions and enforcement powers of the ICO make it all the more important that organisation prepare themselves for compliance with the GDPR.
The European Data Protection Board (the “Board”) is the independent supervisory authority, at EU level, which will replace the current Article 29 Working Party. The Board will be a body of the European Union with its own legal personality, Chair and Secretariat.
Similarly to the Working Party, the Board will be composed of the head of the Supervisory Authority for each Member State and the European Data Protection Supervisor. The Commission shall also have the right to participate in and be kept up to date with the Board’s activities although it shall have no voting rights. This is a key requirement to ensure the independence of the Board.
GDPR sets out the tasks of the Board in detail. Generally, the remit of the Board is to ensure the consistent application of GDPR among Member States. In doing so the Board shall promote cooperation between supervisory authorities, issue opinions to supervisory authorities, settle disputes among supervisory authorities, provide training, issue guidance for controllers and processors etc.
The Board’s work is similar in many respects to the Article 29 Working Party however it is expected the Board will have greater force.
The current Data Protection Act 1998 (DPA) provides that where a data controller engages suppliers that are deemed ‘data processors’ under the DPA, this must be done by way of written contract. Within this written contract, certain matters must be addressed; in short the supplier/data processor must agree to only act on the data controller’s instructions and to comply with the seventh data protection principle i.e. to have appropriate technical and organisational measures in place to prevent unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Going forward, the General Data Protection Regulation (GDPR) due to come into force on 25th May 2018, will maintain the requirement for a data controller to engage suppliers/processors in written terms. However, the GDPR requires the contract to contain more information that what is currently required under the DPA. This will require controllers or large suppliers with standard form contracts to revisit their contracts and update the terms to meet the requirements of GDPR. This note provides a brief high-level overview of what these requirements are.
Article 28 of the GDPR stipulates that processing by a data processor shall be governed by written contract. The general topics which must be covered by the contract are:
There are also specific obligations which must be addressed in the contract incumbent on the processor:
Comparatively, the information required under GDPR is consistently more than what the DPA provides. Given GDPR does not allow any grand-fathering of contracts we recommend that parties review the terms upon which they engage suppliers (and where that supplier is a data processor) imminently. Similarly, suppliers ought to review their standard term contracts. It may take some time to update and renegotiate these contracts, therefore we recommend that the process is started as soon as possible to ensure it can be completed by May 2018.
A data processor is any entity which processes personal data on behalf of the data controller. A data controller is the entity which determines what data is collected and what it is to be used for. The crucial difference between controllers and processors is that processors exercise no control over what data is collected and what it is used for; they merely facilitate the collection of data and use it for set purposes decided by the controller. Current legislation, the Data Protection Act 1998 (“DPA”), only applies to data controllers but under the General Data Protection Regulation (“GDPR) due to come into force on 25th May 2018, both controllers and processors will be caught.
This is a significant shift for data processors and this note will outline how GDPR shall impact data processors and the provision of their services.
GDPR Impact on Processors
The above sets out on a high level the key changes that GDPR shall bring about for processors. We recommend that processors start preparing for GDPR now and evaluate and address the additional risk and cost GDPR may present to their organisation.
We receive many questions about Data Protection rules and regulations. Here are some links to other useful sources of information.
If you would like us to call you, complete our quick call back form below.
Our Local Offices
We have offices across Scotland, offering legal advice and property servicesView All Offices
+44(0)131 225 8705