On 25 May 2018 a new EU data protection law will come into place: the General Data Protection Regulation (GDPR). This sets out various rules relating to the holding, processing and distribution of personal data.
Various recent reports indicate that many businesses in the UK are either unaware of GDPR or have not considered what effects it will have on their storage and handling of personal data.
If you have not already begun to look at this, we advise that you begin a thorough check of the information that you hold, and review the basis on which you gather, process and hold those data, including how you seek, record and manage consents for their use.
One of the major changes to data protection under GDPR is that its territorial scope has been extended. It will now apply not only to data processing of EU/EEA citizens within the EEA but to all processing of personal data by controllers and processors within the EU/EEA, even if that processing is taking place outside of the EU/EEA. It will also apply to the processing of personal data of data subjects within the EU/EEA no matter where the processor is based, particularly where the processing activities relate to offering good or services within the EU/EEA, irrespective of whether payment is sought, and the monitoring of behaviour of EU residents within the EU. Non-EU businesses processing the data of EU citizens will have to appoint a representative within the EU.
GDPR will bring in compulsory reporting requirements for companies that suffer personal data breaches. It will become compulsory to inform the relevant supervisory authority (the Information Commissioner’s Office in the UK) where a security breach is likely to result in a risk to the rights and freedoms of individuals. Individual data subject should also be informed where there is a high risk to their rights and freedoms. Again, this might impact on companies outside of the EU where the breached data came from Europe or if the company was holding data to offer goods or service in Europe or to monitor European citizens’ activities.
Data Protection Principles
Processing and control of data under the GDPR is based on seven data protection principles with which data controllers and processors must comply.
1 Lawfulness, fairness and transparency. Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
2 Purpose limitation. Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any other manner incompatible with those purposes.
3 Data minimisation. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
4 Accuracy. Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
5 Storage limitation. Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed. This is not a specific time limit but will vary from one purpose to another.
6 Integrity and confidentiality. Personal data must be processed in a manner that ensures its appropriate security.
7 Accountability. The data controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles. This is a new principle under GDPR.
Under the Data Protection Act the data subject’s consent to processing has been viewed as something of a universal licence. Conditions for consent to processing have been reinforced under the GDPR, however, so that it is now far more tightly controlled. Consent is not the only justification for the processing of personal data but, if you are relying on consent to process data, that consent must be freely given, specific and informed. If you are currently relying on data subject consent to process data, you should consider whether your existing consents will comply with the new standards. If not, you should seek confirmation in a manner that does comply.
Consent requests should be:
• prominent, concise and easy to understand;
• separate from other terms and conditions so that the consent is not (and does not appear to be) a condition of the data subject receiving services for which such consent is not actually required;
• specific: you should set out the processing purposes for which consent is sought. Consent given for one purpose will not necessarily constitute consent for another purpose and consent to one processing activity will not constitute consent for another. Ideally you should offer options where processing of different types or for different purposes may be carried out;
• positive: it should be on the basis of positive action to opt in rather than simply not opting out;
• informed: the data subject should be aware of the identity of the data controller, the purposes of the processing activity and the type of processing activity to take place.
You must also inform the data subject that their consent can be withdrawn at any time and, idealy, explain how to make that withdrawal.
Other lawful justifications for processing
As with the current Data Protection Act, processing can based on a number of data protection principles apart from consent:
• Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract;
• Processing is necessary for compliance with a legal obligation;
• Processing is necessary to protect the vital interests of a data subject or another person;
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the individual.
The individual’s interests, rights and freedoms to be borne in mind include:
• the right to be informed: this relates to the provision of fair processing information – please see below;
• the right of access: as well as the right to know if personal data concerning them is being processed, where and for what purposes, data subjects have a right to a copy of information held, free of charge, in an electronic format;
• the right to rectification;
• the right to erasure: individuals have a right to have personal data erased and to prevent processing in specific circumstances, such as where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed or where consent to processing has been withdrawn;
• the right to restrict processing;
• the right to data portability: this is the the right for a data subject to receive the personal data concerning them, which they have previously provided in a “commonly used and machine readable format” and to transmit that data to another controller;
• the right to object: individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing (including profiling) and processing for purposes of scientific or historical research and statistics; and
• the right not to be subject to automated decision-making including profiling.
As can be seen, not all of these rights apply in all circumstances but consider whether you need to store data in a form that is transferable or erasable if required.
Irrespective of the legal basis for processing, the data controller will usually have to provide “fair processing” or “privacy” notices to data subjects setting out:
• the identity of the data controller;
• the purpose of the processing;
• the contact details of the data controller;
• the contact details of the data protection officer (if any);
• the legal basis of the processing;
• the data retention period;
• a reference to the data subject’s rights under the GDPR; and
• information on international transfers and the safeguards applied to such transfers.
For breaches of major data processing obligations, such as not having a legal basis for processing, the headlines are that fines can be imposed of up to 4% of a company’s worldwide annual turnover or €20,000,000, whichever is the greater. This is a significant increase from the existing legislation.
Breaches of lesser obligations will be limited to 2% of global annual turnover or €10,000 but this could still be a very significant sum.
A data privacy health check could be a useful first step. In the light of the changes that GDPR will bring about, we suggest that you carry out an audit of your data processing activities.
• Review the information you hold, consider how you process it and the basis on which you carry out any such processing.
• Look at the processing you carry out and consider the relevant processing condition that you rely upon to justify that processing. Can you rely on a justification other than consent?
• If you rely on consent for processing, consider how you seek, record and manage such consents and whether you need to seek consent a new or revised consent.
• Bear in mind that some justifications for processing will require more additional assessments. The “legitimate interests” justification, for example, will require an assessment to balance those interests against individuals’ rights. Any findings should be recorded in order that you can demonstrate to the ICO (or an individual) that you have fully considered the necessity of the purpose of processing against the rights of the individual and concluded that the individual’s rights do not override your interests.
• Consider whether you are holding data that you no longer use or require. Can it be deleted or anonymised?
• Review your security to ensure that you are protected against unauthorised or unlawful processing, accidental data loss and damage. Can data be encrypted, anonymised or pseudonymised?
• Any new processing or storage systems should be built to incorporate data protection by design and by default. In particular, systems should be capable of searching for and extracting all personal data of a particular data subject in order to comply with the rights of data portability and data erasure.
GDPR is a massive piece of legislation and this blog just scratches the surface. It is intended as a very basic introduction to GDPR but should not be viewed as legal advice. If you require advice in relation to specific circumstances, please contact us but no legal liability to any person is accepted by the author or Redfern Legal LLP on the basis of this note.