The General Data Protection Regulation, which will be in force later this year, requires organisations that process European personal data to have a comprehensive compliance programme. Additionally, the UK will implement the GDPR into its new Data Protection Act, which will also be extraterritorial in scope. International organisations doing business in Europe will need to be mindful of the GDPR and the other European local data privacy laws that will apply in addition to the GDPR.
The new General Data Protection Regulation (GDPR) will be in force on 25 May 2018 and will be effective in the European Union (EU) immediately on this date. Following the United Kingdom’s (UK’s) exit from the EU, likely to be in 2019, the UK government will need to enact domestic data privacy legislation to replace the GDPR. The draft data protection law has now been published and it incorporates and supplements the GDPR. Additionally, the GDPR itself will remain relevant to UK businesses that target the EU market in the same way as other non-EU businesses. Other European countries will also implement their own local data privacy laws to supplement the GDPR as there are some provisions, such as those relating to processing criminal conviction data and relating to children’s consent, which allow local laws to be implemented to vary the GDPR requirements.
TERRITORIAL SCOPE OF THE GDPR
The GDPR has extraterritorial effect and applies to
- processing activities by data controllers and data processors established in the EU, whether or not the processing takes place in the EU;
- the processing of personal data of data subjects who are in the EU by a data controller or data processor not established in the EU where the processing activities relate to offering goods or services to data subjects in the EU; and
- the processing of personal data of data subjects who are in the EU by a data controller or data processor not established in the EU where the processing activities relate to monitoring their behaviour in the EU.
The extraterritorial scope of the GDPR represents a significant expansion of EU data protection obligations to cover all processing activities relating to EU-based data subjects.
When the UK exits from the EU by 29 March 2019, the GDPR will only continue to apply to a UK organisation to the extent that it falls within the extraterritorial scope summarised above. For purely UK processing activities relating to UK individuals, the GDPR will no longer apply. Instead, the new Data Protection Act will apply (currently in draft form). It incorporates the GDPR and supplements the principles as is permitted for all EU countries. Like the GDPR, it has extra-territorial effect so that it applies to non-UK businesses who offer goods or services to UK residents or who monitor UK residents.
Most UK businesses are almost certainly going to need to transfer personal data to Europe and also to other countries outside the EU such as the United States. Currently, whilst the UK remains part of the EU, there are restrictions against transferring personal data outside the EU without consent from the individual, other than to certain “adequate” countries such as Canada or Switzerland or unless the business has in place a legally permissible mechanism, such as model clauses or binding corporate rules. The UK government will need to negotiate the UK’s “adequacy” decision from the European Commission as part of the Brexit arrangements.
PROCESSING OF PERSONAL DATA UNDER THE GDPR
Where the GDPR applies to the processing of personal data, EU companies should conduct an initial assessment on whether it (or its affiliates) are acting as a data controller or a data processor in these processing activities.
The data controller is ultimately responsible for compliance with the data protection principles which are that personal data must be
- processed lawfully, fairly, and in a transparent manner in relation to individuals;
- collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
CONSENT AND PRIVACY NOTICE REQUIREMENTS
Personal data is lawfully processed if the data subject has consented to the processing or a permitted derogation applies such as legal or contractual necessity. Further, there are strict conditions imposed on whether consent is validly obtained by the data controller.
The data controller must provide a privacy notice to data subjects regarding the processing of their personal data. The information in the privacy notice is summarised below and must be provided at the time of the collection of the personal data or, if it was collected via a third party, within a reasonable period of being collected. The privacy notice must specify certain information, and ensuring that privacy notices are compliant with the GDPR is likely to be a complex process for many organisations. The privacy notice must be concise, transparent, intelligible and easily accessible, written in clear and plain language, and provided free of charge.
There are also direct obligations on data processors under the GDPR regarding
- the security of processing operations;
- appointment of a data protection officer;
- the engagement of sub-processors; and
- the notification of any breach of data protection obligations (including data security incidents) to the data controller.
DATA PROTECTION OFFICER
The appointment of a Data Protection Officer (DPO) is required where there is regular and/or systematic monitoring of individuals or processing on a large-scale of sensitive personal data or criminal conviction data. Organisations can still appoint a DPO even if one is not required, but it should be clear that this is an organisational role rather than required under the GDPR. The DPO must be accessible to Europe-based individuals about whom the organisation processes personal data as well as the supervisory authority. He or she must be suitably skilled and experienced but also be able to provide training to staff. Where the DPO sits in an organisation is likely to be a difficult assessment. The role must be sufficiently resourced and independent to be effective and must also have access to management meetings and be involved in relevant business discussions but without conflict of any other role the DPO may have in the organisation.
Additionally, for organisations that are not established in the EU, a representative based in the EU should be appointed. Such an appointed representative may wish to have a letter of indemnity from the organisation to cover himself/herself from liabilities arising from this role.
The GDPR includes a mandatory obligation to notify the data protection authority within 72 hours of becoming aware of the breach (except for breaches which are unlikely to cause harm to the affected individuals’ privacy rights) and, in certain circumstances where there is a high risk of harm to their privacy rights, to notify the individuals affected by the breach.
RECOMMENDED STEPS TO COMPLY WITH THE GDPR
Organisations can consider taking steps to prepare for the GDPR such as the following:
- Conduct an assessment of what personal data is processed or otherwise stored or held by the organisation and/or its affiliates, where it is held, the categories of data subjects (e.g. employees, contractors, contact points at commercial organisations, customers, etc), the nature of the personal data (including if it is sensitive personal data), for how long it is being retained, whether it is current or historical, how it was obtained (so far as possible), how it is used and with whom it is shared, and where the locations are of the recipients of the personal data (i.e. identify the data flows)
- Review the consents (or other applicable lawful processing derogations) obtained for the processing of the personal data and prepare privacy notices to data subjects for this processing and update any existing policies as necessary under the GDPR
- Identify any international data flows and any applicable data transfer agreements (including model clauses approved by the European Commission) or pursuant to the Privacy Shield and ensure that all international data flows are conducted lawfully
- Review and update as necessary any procedures for responding to data subjects accessing personal data or exercising any other rights such as rectification, erasure and restriction of processing their personal data
- Review data security processes and review and update any data security incident response plan (or prepare one) which includes the obligation to notify the supervisory authority within 72 hours for certain high-risk incidents
- Consider if the organisation (or one of its EU affiliates) needs to appoint a data protection officer. (This is required where there is regular and/or systematic monitoring of individuals or processing on a large-scale of sensitive personal data or criminal conviction data)
- Review and, as necessary, amend processing provisions with data processors to comply with the GDPR requirements