The General Data Protection Regulation (GDPR) is the EU data protection regulation that came into force on 25 May 2018, alongside the UK Data Protection Act 2018, and it represents a significant reform in data protection.
Regardless of Brexit, if your organisation processes any personal data, it must comply with GDPR/DPA 2018 as well as other relevant data protection focused legislation.
For individuals, GDPR aims to strengthen European citizens’ rights in relation to how their personal data are processed. For organisations, it aims to provide support by doing away with the current fragmented approach held across Europe and replace it with a more harmonised regime.
GDPR expands the rights of individuals (referred to as ‘data subjects’) over the use of their data when compared with the previous regime under the Data Protection Act 1998:
- The right to be informed.
- The right of access to information without charge and within a shorter timeframe – down from 40 days to 1 month.
- The right to object to processing likely to cause or causing damage or distress.
- The right to prevent processing for direct marketing.
- The right to object to decisions being taken by automated means including profiling.
- The right to have inaccurate data rectified.
- The right to restrict processing.
- In certain situations, the right to have data deleted (commonly referred to as ‘the right to be forgotten’).
- The right of data portability, where they can request and reuse data held and instruct its transfer from one Data Controller to another.
The transfer can be completed by the data subject themselves or between controllers directly. Part of the reasoning behind this is to allow data subjects to transfer between service providers more easily. This right may require organisations to put new procedures in place to deal with the transfer of information.
They can complain to the supervisory authority in the Member State where they reside or in the Member State where the Data Controller and/or Data Processor is established. The supervisory authority must keep the individual informed of developments throughout the process and notify them of the progress or outcome of a complaint within three months. If the result of the supervisor authority’s investigation is not satisfactory, the data subject may be able to refer the matter for judicial review.
The GDPR allows for both the Data Controller and the Data Processor to be held liable, unlike the Data Protection Act 1998 where only the controller had liability. Additionally, if controllers or processors are involved in the same processing, the data subject may seek damages from only one party, with that party then recovering damages from the other.
The GDPR allows data subjects to appoint representatives to bring proceedings on their behalf as well as the possibility for data subjects to enter into class action claims. Each Member State decides the level of fines imposed, in line with the new significantly inflated maximum fines under the GDPR, as well as if criminal sanctions are appropriate.
Increased sanctions for mishandling personal data of staff: Up from a maximum of £500,000 to the greater of (up to) 4% of annual turnover or €20 million.
Possible appointment of Data Protection Officer: Depending on your organisation type and the data you process, you may need to create a new Data Protection Officer role within organisation. See Do we need a Data Protection Officer? section below for more information on this.
More information to employees: As an employer, you must give more information to employees as to how their personal data will be handled, for example you will need to inform them how long the data will be stored and the rights they have over their data. The information should be concise, intelligible and communicated by means likely to be noticed and read by employees. You should review and amend as needed the information you supply.
Consent and basis for processing: GDPR will make it much harder to rely on consent as a basis for processing employees’ personal data and you should consider other means to legitimise processing.
Compliance in itself with GDPR is not sufficient: Employers must be able to demonstrate compliance by having appropriate policies, procedures, privacy impact assessments and training in place. Your approach to data protection must be designed to reflect the appropriate level of risk.
Automated decision-making: Employees can object to being the subject of a decision made solely by automated decision-making, for example concerning performance management, sickness, bonuses etc. You should consider other approaches that do not rely solely on automated decision-making.
Employees also have the data subject rights as outlined under What rights do individuals have under GDPR?.
You will need to appoint a Data Protection Officer (DPO) if your organisation is:
- A public authority, or
- Your core activities require regular and systematic monitoring of data subjects on a large scale, or
- Your core activities consist of processing on a large scale of special categories of data (formerly sensitive personal data) or criminal convictions and offences
The responsibilities of the DPO are extensive and require a sound working knowledge of GDPR. The role can be contracted out. See DPO Packages for more information on the DPO role and how Thorntons can help.
The definition of Data Controller under GDPR is similar to that under the Data Protection Act 1998 (DPA): they decide what personal data is collected and what it is to be used for. However, GDPR introduces a new positive obligation on Data Controllers, called the Accountability obligation, to be able to demonstrate compliance with six data processing principles, which broadly reflects the current position. In practice, this means that it is not enough for Data Controllers to process personal data in accordance with the principles; they must also be able to demonstrate that they do so.
Every organisation must review its processing requirements and design its approach to GDPR around the principles. This may include:
- Appointing a Data Protection Officer
- Setting up a clear compliance structure
- Allocating responsibility for compliance among staff
- Provision of training
- Regular data audits
- Undertaking privacy impact assessments where appropriate
- Liaising with the supervisory authority – the Information Commissioner’s Office (ICO) in the UK – where appropriate
All of this activity should be recorded on an ongoing basis so as to evidence compliance. It may be possible in the future to demonstrate compliance by signing up to a Code of Practice or becoming certified; however, the viability of this option is currently unclear.
Unlike under the DPA, a Data Controller is not required under the GDPR to notify the ICO of their organisation’s processing activities. However, that information still has to be recorded by the organisation. Organisations are also under an express obligation to keep certain records of its specific processing activities. See What processing records do we need to keep? below for more on this.
Data Controllers will also need to take into account the ‘Privacy by Design and Default’ requirements under GDPR. See What is ‘Privacy by Design and Default’ and what does it mean for our organisation? below.
A Data Processor is any entity which processes personal data on behalf of the Data Controller. The crucial difference between controllers and processors is that processors exercise no control over what data is collected and what it is used for; they merely facilitate the collection of data and use it for set purposes decided by the controller. Previous legislation, the Data Protection Act 1998 (DPA), only applied to Data Controllers but GDPR applies to both controllers and processors, which is a significant change for Data Processors.
Liability: The Information Commissioner’s Office (ICO) will be able to take enforcement action against Data Processors, including issuing fines up to the greater of £17 million or 4% of global annual turnover. Likewise, they can be held liable for compensation to data subjects for failure to comply with the GDPR and/or process the personal data as instructed by the controller.
Engaging on written terms: Like the DPA, the GDPR requires a written contract. GDPR stipulates that these contracts must include certain information.
Engaging sub-processors: It will require explicit or general consent to appoint sub-processors. This will impact the fluidity service providers have in relation to engaging sub-processors as consent will have to be sought from the controller which could prove prohibitive.
Data Protection Officer (DPO): Data Processors may be required to appoint a DPO. See Do we need a Data Protection Officer? above.
Record-keeping obligations: GDPR creates an obligation on a processor to keep certain records about its processing activities. See What processing records do we need to keep below.
Organisation and technical measures: Processors are required to implement appropriate technical and organisational measures to ensure the security of the data commensurate with the risk.
Breach notification: Processors are obliged to notify the Data Controller of any personal data breach without undue delay. It is good practice to prepare a data breach policy with a view to setting out key individuals’ responsibilities in advance so that any breach is dealt with efficiently and with a view to minimising risk to the processor, the controller and the individual.
The size of your organisation will affect the level of records you require to keep.
If your organisation has more than 250 employees then you must maintain comprehensive internal records of processing activities. These include:
- Contact details of the Data Controller and, where applicable, the joint controller and any Data Protection Officer
- Purposes of processing
- A description of the categories of data subjects and the categories of personal data
- A description of the recipients to whom personal data have been or will be disclosed
- Any transfers of personal data to a third country or an international organisation
- Where possible, the envisaged time limits for erasure of different categories of data
- Where possible, a general description of the technical and organisational measures adopted
Data Processors in an organisation must also keep similar records of processing activities.
If your organisation has fewer than 250 employees, you will only need to maintain such records where data processing activities relate to:
- Higher risk or frequent processing activities, or
- Processing that involves sensitive personal data or criminal convictions
However, if your organisation decides that it is not required to keep these records as its processing does not fall within the stated categories, it is advisable that you keep an accurate record of the internal analysis conducted to reach such a conclusion.
The ICO has wide investigative powers under GDPR and can request to see an organisation’s records. It is important that your organisation keeps accurate and up-to-date records so that such a request can be easily complied with and you can evidence GDPR compliance.
Privacy by design and default
The previous law obliged Data Controllers to adopt ‘appropriate technical and organisational measures’ to protect against unauthorised or unlawful processing of an organisation’s personal data and against accidental loss or destruction of, or damage to, the personal data. The measures adopted had to reflect the state of technological developments available, implementation costs, nature of data and possible risks.
GDPR builds on the previous law by widening the scope of issues organisations must take into consideration when deciding which measures are appropriate for them. In addition to what was previously required, organisations’ technical and organisational measures must be designed to achieve the following objectives:
- Compliance with the data protection principles (such as data minimisation)
- Compliance with the wider obligations of GDPR
- To reflect the nature, scope, context and purposes of the processing, and
- To reflect any risks to the rights and freedoms of the data subjects posed by such processing
Designing measures tailored to these issues is collectively known, under GDPR, as ‘privacy by design’. While the practical measures adopted will vary between organisations, there is a mandatory default position, known as ‘privacy by default’. Under this, the measures must ensure that, by default, only personal data that is absolutely necessary is processed. This means that organisations must, as a minimum, put in place measures to ensure that:
- They do not collect unnecessary data
- They do not process unnecessary data
- They do not keep data for longer than necessary, and
- Access to the data is limited to those who have a legitimate reason to access it
How this could affect your organisation
Your organisation ought to review the measures it adopts and consider whether its practices reflect the requirements of GDPR and if not, what needs to be improved. This could be done as part of a wider project of GDPR compliance.
It is also very important to educate and provide training for key members of staff who are involved in processing personal data on behalf of your organisation so that issues can be identified early, particularly before launching a new service which may impact data management (when you may wish to undertake a Privacy Impact Assessment). The principle of privacy by design should be a constant and evolving consideration for every organisation.
Over time, this should lead to reduced risk of enforcement action for organisations and better protection of rights for data subjects.
Relying on consent obtained prior to GDPR will continue to be a valid basis upon which to process data post-GDPR, provided such consent meets the requirements of GDPR. Organisations should review the basis upon which consent was obtained against GDPR requirements and consider whether they need to get fresh consent or identify whether processing can be legitimised by other means.
Under GDPR, consent must be freely given, specific, and an informed and unambiguous indication of the individual’s wishes, by which they, by a statement or by a clear affirmative action (such as opt-in boxes), signify agreement to the processing of personal data relating to them. Consent must not be tied to anything else such as service delivery and individuals must be able to withdraw it at any time.
This means that opt-out or deemed consent, such as silence, pre-ticked boxes or inactivity, will not be acceptable. Some key things to think about are:
- Unbundled: consent should not generally be a precondition of signing up to a service
- Active opt-in: pre-ticked opt-in boxes are invalid
- Granular: provide options to consent to different types of processing
- Named: name your organisation and any third parties who will be relying on consent
- Ability to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. Provide an easy and quick way for people to exercise this right.
In some situations, consent will also have to be ‘explicit’. Examples include where an organisation:
- Processes ‘special categories of data’ (currently understood as ‘sensitive personal data’)
- Wishes to rely on consent to justify transferring personal data to a third country
- Wishes to legitimise automatic decision-making
Explicit consent needs to be expressly confirmed by words as opposed to other affirmative action, which may otherwise be acceptable.
Organisations will also need to keep records evidencing that consent has been obtained, including what the individuals were told and when and how they consented. You will also need to put in place the mechanisms to manage consent withdrawal.
If consent is a condition of service or your organisation is in a position of power over the individual, then consent will most likely not be the most appropriate processing condition as you cannot offer the individual a genuine choice or control over how their data is processed. In such a case, you should consider relying on another ground to process data.
The Information Commissioner’s Office (ICO) is the supervisory authority under GDPR for the UK.
GDPR penalties: Under the GDPR the ICO has a two-tier penalty system in relation to fines:
- In the top tier, the ICO is able to issue fines of up to 4% of annual worldwide turnover or €20 million, whichever is greater. This will be applicable where an organisation has failed to comply with any of the six general principles, such as failing to process data in accordance with the rights of the data subject.
- In the second tier, for such failures such as not notifying the ICO of a personal breach or not putting in place an adequate contract with a Data Processor, fines could be up to 2% of worldwide annual turnover or €10 million, whichever is the greater.
Investigative powers: These include the ability to request disclosure of any information from an organisation and access to relevant property and equipment, data protection audits and reviews, all of which the organisation must cooperate fully with.
Corrective powers: If it identifies practices of non-compliance with the GDPR (or practices which are likely to infringe the GDPR), the ICO has a range of powers it may exercise, in addition to a fine as discussed above. These can include:
- An order to comply with data subject’s requests
- An order to rectify non-compliance and bring practices into compliance with the GDPR within a specified time frame
- Order to controller to communicate data breach to data subject
- Imposition of a temporary or definitive limitation or ban on processing
- An order regarding the rectification or erasure of personal data or restriction of processing and notification of such actions to recipients of personal data
- An order suspending data flows to a recipient in a third country or to an international organisation
Before using any corrective powers, the ICO will consider such aspects as the gravity of the breach, the intention behind the action taken by the organisation, steps taken by the organisation to mitigate the breach, as well as if there has been any financial benefit derived from the breach.
It is recommended that organisations keep a thorough paper trail as to their approach to GDPR compliance, which could prove useful in the event of a breach.
The European Data Protection Board is the independent supervisory authority, at EU level, which replaced the Article 29 Working Party. It is a body of the European Union with its own legal personality, Chair and Secretariat.
Its remit is to ensure the consistent application of GDPR among Member States. In doing so it shall promote cooperation between supervisory authorities, issue opinions to supervisory authorities, settle disputes among supervisory authorities, provide training, and issue guidance for controllers and processors.
The European Data Protection Board will be composed of the head of the supervisory authority for each Member State and the European Data Protection Supervisor.
If a personal data breach is likely to risk the rights and freedoms of the data subject then Data Controllers must notify the relevant supervisory authority, which is the ICO in the UK. A personal data breach is defined by the ICO as ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’
You should assess each breach to determine whether it ought to be reported. If so, this should be done within 72 hours of you becoming aware of it, failing which you will need to justify the delay. Significant fines of up to €10 million or 2% of an organisation’s global turnover can be imposed for failing to inform the supervisory authority.
In certain circumstances you will also be required to inform the individual concerned; this is where the breach presents a ‘high’ risk to the individual’s rights and freedoms.
Think about what your organisation would do in the event of a data security breach and put in place a plan to ensure any breach is dealt with in a fast and effective manner. Any such plan should include execution of any available organisational and technological workarounds to stem the breach, notification of the breach to ICO/individuals concerned and also how publicity ought to be handled. This will help minimise harm not only to the individual concerned but also to your organisation.