From 25 May 2018, the General Data Protection Regulation (“GDPR”) will apply to most organisations who process personal data about individuals, whether that be their customers, employees, or both.
Does it affect me?
GDPR applies to all organisations which are ‘Data Controllers’ or ‘Data Processors’.
A Data Controller controls how and why an individual’s personal data is dealt with (processed); eg obtaining a customer’s name, address and telephone number when taking an order.
A Data Processor processes personal data on behalf of the Data Controller; eg a shop who keeps a customer database in cloud-based computer storage. In this situation the shop is the Data Controller and the cloud computing provider is the Data Processor.
Practically speaking, most organisations are Data Controllers, and some are also Data Processors.
The GDPR will bring in new rules, concepts and tougher sanctions on data protection and this article summarises some of the key changes that will be introduced by the GDPR.
GDPR KEY CHANGES
Data Governance – Security
This is one of the most heavily debated introductions of the GDPR, requiring organisations to implement a wide range of measures to reduce the risk of them breaching the GDPR.
Data Controllers and Data Processors will be required to implement ‘appropriate technical and organisational measures’ to secure personal data held or controlled by them if they are to be compliant with GDPR.
This means, for example, training staff to keep computers and servers holding personal data password protected and having appropriate virus and spam filters to avoid hacks. There will also be a requirement for Data Controllers to enter into a contract with their Data Processors to confirm that the Data Processors have sufficient security measures in place and will comply with GDPR.
The GDPR also encourages that personal data is pseudonymised (encrypted), as one measure that might demonstrate compliance with GDPR.
There are a number of ways an organisation could breach its data protection requirements, such as personal data being compromised by a cyber attack or an employee accidentally sending an email containing client information to a wrong recipient (we have all done it!).
The GDPR introduces a general personal data breach notification regime, where a data breach has happened, which could “adversely affect [the data subject’s] rights and freedoms”, an organisation must notify the supervisory authority (currently the Information Commissioner’s Office) without undue delay, not later than 72 hours after becoming aware of it.
A conservative interpretation of this would be, if it is possible to identify any data subject from the data breach then this will be a notifiable breach.
It is therefore imperative that organisations review their internal procedures to ensure that robust measures are in place to prevent and deal with data breaches.
The principle of “fair and transparent” processing means that organisations must ensure that individuals are informed about how their personal data will be processed. The GDPR requires this information to be concise, transparent, intelligible and easily accessible.
Prior to 25 May 2018, organisations are strongly advised to put procedures and policies in place to ensure that individuals are given the required information about the processing of their personal data (such as an Information Notice), to comply with the GDPR requirements on transparency of processing.
Subject Access Requests
Not only must individuals be informed on the nature of the processing of the personal data, they also should be notified of the identity of the Data Controller. The individuals are entitled to ask the Data Controller whether or not their personal data is being processed and if so, the nature and purposes of that processing.
An individual can request such information by making a Subject Access Request and the GDPR introduces a number changes to the current regime:
- organisations can no longer charge an individual to comply with a request, save in very limited circumstances (the previous fee was £10);
- a one month deadline to comply with a Subject Access Request, rather than the current 40 days;
- if the Data Controller refuses a request, specified information must be provided to the individual making the request.
Individuals can also require a Data Controller to rectify inaccuracies in personal data held about them.
Right to Object
This is a new right introduced by the GDPR. Individuals will have an absolute right, in certain circumstances, to object to their personal data being processed. For example, it will be an absolute right for an individual to object to direct marketing.
If an individual objects to processing of their personal data, organisations must stop processing the personal data unless they can satisfy one of the exceptions, for example the organisation can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual;. This could be say, a law firm processing personal data of a client who has lost capacity.
Right to Erasure (‘right to be forgotten’)
Individuals will have the right to request their personal data being ‘erased’ in certain circumstances, for example where the individual withdraws consent or where processing personal data is no longer necessary for the purposes in which the data was obtained.
Sensitive Personal Data
‘Sensitive Personal data’ is a special category of personal data such as an individual’s racial or ethnic origin, political opinions and religious beliefs. The GDPR has introduced genetic or biometric data as being sensitive personal data.
Only in certain circumstances can an organisation process Sensitive Personal data, such as:
• explicit consent is obtained (see Grounds to Permit Processing below);
• it is necessary for carrying out obligations under employment, social security or social protection law;
• data is made public by the individual;
• processing is necessary for establishment to exercise or defence of legal claims.
The rules on processing sensitive personal data are more stringent under the GDPR than other forms of personal data.
GROUNDS TO PERMIT PROCESSING PERSONAL DATA
There are a number of exceptions for when an organisation can process personal or sensitive personal data, such as:
• obtaining consent;
• it is necessary for the performance of a contract;
• necessary for the purposes of legitimate interest.
It is likely that the individual’s consent is likely to be the main ground on which organisations will seek to rely upon processing an individual’s personal or Sensitive Personal data.
The GDPR introduces stricter requirements for how organisations can obtain ‘valid’ consent. The GDPR requires that consent provided by individuals must be freely given, specific, informed and unambiguous. Therefore, consent cannot be pre-determined or hidden in standard terms of business (which has been the norm). Also, consent obtained from notices with pre-ticked boxes will likely be deemed invalid.
Therefore, prior to 25 May 2018, organisations are advised to implement a GDPR compliant Consent Notices, for individuals to sign, consent and to authorise the organisation obtaining, storing and processing the individual’s personal and/or sensitive personal data.
What if an organisation breaches the requirements contained in the GDPR?
Non-compliance with GDPR can lead to heavy penalties.
Non-compliance can lead to an administrative fine up to €10,000,000 or in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher!
HOW CAN WE HELP?
We can provide bespoke advice to assist your organisation prepare and implement appropriate measures in order to comply with the GDPR. Examples of how we can help include:
• How to validly process personal data and sensitive personal data;
• Advice on adopting and implementing internal procedures to deal with and respond to Subject Access Requests;
• Advice on an individual’s right to object and on what grounds your organisation can nevertheless process their data, irrespective if an individual objects to the same;
• Drafting clear policies and well-practised procedures to ensure that your organisation reacts efficiently to a data breach;
• Drafting and negotiating the legally binding contract between your organisation and a Data Processor or vice versa, on terms most favourable to your organisation; as the GDPR makes a contract a legal requirement;
• Drafting Information Notices, which will provide individuals (your data subjects) with sufficient information about how their data is dealt with, so that your organisation complies with the transparency principles contained in the GDPR;
• Preparing Consent Notices for your organisation to use;
• Draft Data Protection Policies for your organisation to implement in its staff handbook.