SPEEDREAD: A summary of the main issues you and your business need to be aware of regarding the GDPR. It will replace the Data Protection Act and so if you deal with personal or sensitive data in your business (all employers process personal data) you NEED to read this and make sure you are getting ready.
What is the GDPR?
On 25 May 2018 the EU General Data Protection Regulation (GDPR) comes into effect in the UK, and effectively replaces the Data Protection Act 1998. As an EU Regulation, the GDPR has direct effect in each member state without the need for further implementation, including the UK as we will not have left the EU by then. However, the government has confirmed our departure from the EU will not affect its application and therefore it is also in the process of passing additional legislation in the form of the Data Protection Bill (DPB) to:
- incorporate the GDPR into domestic legislation in readiness for when we do leave the EU;
- repeal the Data Protection Act 1998 (DPA); and
- detail the derogations it is making from the GDPR (the derogations are largely concerned with processing of personal data by law enforcement and intelligence services).
The GDPR introduces a single legal framework across the EU for handling personal data and imposes new requirements including the new obligation to demonstrate compliance with its requirements.
To whom does it apply?
The GDPR will apply to all businesses with an EU establishment. The territorial scope has been expanded to cover companies targeting goods and services at, or monitoring, EU citizens. Whether the GDPR applies to organisations without an establishment in the EU will be determined by the location of the data subjects. The GDPR will apply whenever the use of personal data by an organisation relates to:
- the offering of goods or services to individuals in the EU, irrespective of whether a payment is required; and
- the monitoring of those individuals’ behaviour in the EU.
Tracking individuals on the internet to analyse or predict their personal preferences, as many websites and apps do, will trigger its application. This means that almost every website using tracking cookies or mobile application which retrieves usage information will be subject to the GDPR. The use of a server in an EU country may be caught even if the website operator is not established in that country.
The GDPR also applies to the three members of the EEA (Iceland, Liechtenstein and Norway).
The GDPR applies to “controllers” and “processors”, and the processing of data, including: collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction (marking of stored data with the aim of limiting its processing in the future), erasure and destruction.
Data processor (e.g. someone who acts on the controller’s behalf) – gathers, stores, and processes data on behalf of a data controller (may be a third party). This includes the cloud, IT services, banking, HR functions, payroll and marketing. A data processor includes a sub-processor. Under the GDPR, data processors also have regulatory obligations. The processor may only process personal data if it has instructions from the data controller.
Data controller (e.g. someone who says how and why personal data is being processed) – requests the data processor to process data for them (can be the same entity). Data controllers have always been subject to the regulatory regime and most of the obligations under the GDPR fall on the data controller, who determines the purposes and means of the processing of personal data. The GDPR places specific obligations on controllers and further obligations to ensure contracts comply.
ICO – the Information Commissioner’s Office, the regulatory body for the UK (and Supervising Authority in the UK).
Data protection officer – this is a person who is appointed to carry out certain tasks including (but not limited to): advising the data controller or data processor and employees of their obligations under the GDPR and other applicable data protection laws. This includes providing training to employees involved in personal data processing; monitoring compliance with the GDPR, other applicable laws and the data controller’s or data processor’s policies and procedures relating to data protection; advising on data protection impact assessments; co-operating with supervisory authorities; and acting as the point of contact on issues relating to data processing.
Personal data – means “any information relating to a data subject”. A data subject is the identified or identifiable person to whom the personal data relates. This is essentially anything that can be used to identify an individual. Some examples are: genetic identity, social identity details, education and training, employee home address, employment details.
Online identifiers (e.g. IP address, cookie identifiers and things like RFID tags) can be personal data. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised e.g. key-coded can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to the particular individual. Truly anonymised data will not constitute personal data.
Sensitive personal data – Under the GDPR it uses the term “Special Categories of Personal Data”. This is data that reveals ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning a person’s health or sex life, genetic data or biometric data. Personal data relating to criminal convictions and offences are not included, but extra safeguards apply and are included elsewhere in the GDPR.
It is important to understand who is a data processor or data controller as the different roles have different responsibilities. Parties can be a data controller for one part of their processing, and a processor for another part of their processing. Sometimes you have joint data controllers, who are equally responsible. Sometimes you have a processor who then has a sub-processor.
A data processor’s responsibilities can be summarised into four main areas:
- Contract – it is the joint responsibility of the controller and processor to ensure that there is a detailed contract in place that covers all relevant points.
- Security – the processor is responsible for ensuring the security of the personal data they process.
- Accountability – the processor is responsible for record keeping, allowing supervisory authorities access to records, appointment of data protection officers, and complying with international data transfer requirements.
- To give assistance to data controllers.
The GDPR requires a data controller to not only comply with the six principles when processing personal data but also show evidence of compliance. A data controller must also ensure there is a detailed contract in place (see above). This is the concept of accountability under the GDPR which means more than just establishing data protection policies and procedures. The six principlesgoverning data processing are:
- Lawfulness, fairness and transparency.
- Purpose limitation (e.g. collection must be for specified, explicit and legitimate purposes; and data should not be processed in a manner that is incompatible with those purposes).
- Data minimisation (e.g. it should be adequate, relevant and not excessive).
- Storage limitation (e.g. stored in identifiable form only as long as necessary to fulfil the purpose the organisation collected it for).
- Integrity and confidentiality.
A data controller must only process personal data based on one or more of the following:
- consent of the data subject;
- necessary for the performance of a contract with the data subject or take steps to enter into a contract;
- necessary for the compliance with a legal obligation (save for an obligation imposed by a contract);
- necessary to protect the vital interests of a data subject;
- necessary for the performance of a task carried out in the public interest/exercise of official authority vested in the controller; or
- necessary for the purposes of legitimate interests pursued by the controller or a third party except where such interests are overridden by the interests, rights or freedoms of a data subject.
Sensitive personal data
In summary, the prohibition on processing sensitive data does not apply when:
- the individual to whom the sensitive personal data relates has given explicit consent to the processing;
- the processing is necessary for:
- carrying out the data controller’s rights in employment law, social security and protection;
- protecting the vital interests of the individual when the data controller cannot obtain consent;
- establishing, exercising or defending legal claims;
- reasons of substantial public interest; or
- scientific, historic research or statistical purposes.
- the processing relates to the legitimate activities of certain non-profit organisations; or
- the processing relates to personal data made public by the data subject.
Processing of personal data relating to criminal convictions/offences is limited to certain circumstances.
Reliance on “consent” for processing:
Consent is defined as a “freely given, specific, informed and unambiguous” indication of the data subject’s wishes by which s/he, by a statement or by a clear affirmative action, signifies agreement to the processing of his/her personal data. Examples of affirmative actions include: ticking a box when visiting a website; choosing technical settings for an online service; and any other conduct which clearly indicates acceptance. Silence, pre-ticked boxes or inactivity would not normally constitute consent. When processing has multiple purposes, consent should be obtained for all purposes.
For consent to be informed, the data subject must be aware (as a minimum) of the data controller’s identity, the data being held and the intended purpose processing.
Consent is revocable. This means structuring processing practices to accommodate such withdrawals.
Consent should not be part of standard terms. Therefore, this can be tricky in employment situations as this is usually seen as an imbalance of power between the parties, which under the GDPR means the consent will not be valid. Care should be taken not to rely on consent given in employment contracts, and should instead be clearly distinguishable. A working party has been set up to provide expert advice and ensure consistency of application regarding data protection, called the Article 29 Working Party. It will publish guidance on consent and transparency following recent consultation on its proposed guidelines. The ICO will publish an updated version of their own draft consent guidance. In the meantime, the draft consent guidance can be found HERE.
If you process any data belonging to children (under 16 as per the GDPR but the UK has adopted the age of 13 in the DPB) there are additional requirements.
New obligations under the GDPR:
The GDPR has introduced certain new obligations, which we have summarised below:
- The requirement to document certain information, such as types of personal data being processed, who it is being shared with, purposes, overseas transfers.
- Privacy by design and privacy by default. This requires people to properly consider why and how they are gathering data at the start of a project in order to ensure as little data is stored as is necessary for as short a time as possible.
- Requirement to carry out Data Protection Impact Assessments in certain circumstances (sometimes mandatory), such as when there is large scale processing of certain categories of sensitive data or automated processing, including profiling, etc.
- Consideration as to whether or not your organisation needs a Data Protection Officer, in some cases this will be mandatory but it may be a voluntary decision.
- New obligations in relation to data processing arrangements, e.g. if contracting with a third party to carry out data processing, increased due diligence on data processes, additional clauses in contracts will be required and include in the contract itself a description of the data that’s being processed, the processing activities, and the duration of the processing.
- New right to data portability gives individuals the right, in some circumstances, to require an organisation to give back data provided by the individual.
- New right to be forgotten means individuals can request all of their data is erased without undue delay in the circumstances specified in the GDPR.
- Changes to privacy notices that you have to give individuals (e.g. job applicants/employees). There is detailed guidance on this available on the ICO website.
- Breach of notification requirements – a log must be kept of all data breaches and the regulator can review it at any time. Data processors must notify data controllers of all breaches and without undue delay, who must then notify most breaches to the regulator. In some case the individual concerned will also need to be notified.
Individuals will now have the following rights:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure (the right to be forgotten).
- The right to restrict processing.
- The right to data portability.
- The right to object to processing.
- Rights in relation to automated decision making and profiling.
Data subject access requests:
- There is no longer a fee but for a few exceptions, e.g. where a request is “manifestly unfounded or excessive” it may be possible to charge a “reasonable” fee.
- Response period reduced from 40 days to “without delay” (e.g. >1 month).
- Employers now required to provide the following additional information:
- the envisaged period of storage;
- details of rights to be forgotten, rectification, restriction of processing, and right to object to processing;
- the safeguards applied on a TP transfer of data.
- Obligation to provide response in electronic form (possibly via an online platform)
- Exemptions to disclosure (e.g. legal privilege) remain.
Transfer of data outside the EU:
Apart from transfers to jurisdictions that are officially declared by the commission to be adequate, both controllers and processors may only transfer data outside the EU if they put in place appropriate safeguards on the condition that enforceable rights and legal remedies for individuals are available. A data processor must have the consent of the data controller in order to make transfers outside of the EU. That applies to any processor (including sub-processor). Individuals have to be informed by way of privacy notices if international transfers may take place (e.g. outside the EEA or an international organisation).
Non-Compliance & Offences:
Non-compliance can lead to the following penalties:
- maximum fine under the GDPR is €20 million (£17 million) or 4% of the total worldwide annual turnover of the undertaking (not the organisation) whichever is higher;
- the individual can be awarded compensation where damage has been suffered as a result of unlawful processing.
Data Protection Authorities may use their new range of enforcement options and individuals may seek compensation directly from data processors. Data controllers and processors have joint liability for any damage caused by processing whilst working together on the same processing operations.
You must be able to demonstrate compliance with the GDPR and the steps taken to ensure that your systems are compliant. Demonstrating compliance may help reduce the data controller or data processor’s risk of liability, including administrative fines.
The GDPR introduces the following new offences:
- Unlawful retention of data without the data controller’s consent.
- Re-identification of de-identified personal data without the consent of the data controller.
- Alteration, etc., of personal data to prevent disclosure following a data subject access request.
- Processing of personal data that is information that has been re-identified where the person does so without the consent of the controller responsible for de-identifying the personal data and in circumstances in which the re-identification was an offence under point 2.
What should you do?
- We strongly recommend you review the ICO checklists and information on the ICO website, particularly the ’12 Steps to Take Now’ guidance.
- Undertake a data mapping exercise (e.g. understand what data you have (personal/sensitive), where it is stored and where it has ‘travelled’, consider who is a data processor/controller and where they are; consider your chain, review what data you collect and why).
- Review and update the following, as necessary:
- policies and procedures;
- privacy notes;
- processes for obtaining and recording consent, including with regard to the age of the individual.
- Consider whether you need to appoint a Data Protection Officer.
- For organisations that operate internationally, determine which data protection supervisory authority is the correct regulator.
- Train your staff.
- Undertake impact assessments as appropriate.
How can Dixcart Legal help?
This article is simply a summary of the GDPR and DPB. If you need more in-depth advice, we can:
- Guide you through the requirements of GDPR and DPB as they apply specifically to your business.
- Present a seminar for your business to inform and assist key stakeholders.
- Assist with amendments to:-
- contracts of employment;
- data processing agreements;
- data protection policies and procedures;
- data subject access request procedures;
- privacy notices;
- employee data processing notices; and
- commercial contracts.
If you have any questions regarding the above or require any assistance, please do not hesitate to contact Anne-Marie Pavitt on +44 (0)333 122 0010 or by email Anne-Marie.Pavitt@dixcartlegal.com.