The General Data Protection Regulation (GDPR) overhauls the data protection legal framework in Europe and comes into effect on 25 May 2018.
Irish businesses must be fully compliant with the GDPR by that date. We look at the key provisions of the GDPR which businesses and other organisations need to be aware of below.
Key provisions of the GDPR
1. Extra-territorial effect
The GDPR has extra-territorial effect. Firstly, it applies to the processing of personal data by an EU business regardless of whether or not the processing takes place in the EU. This means that an EU business who uses servers outside the EU may fall within the scope of the GDPR.
Secondly, it applies to all non-EU businesses that process personal data of EU citizens relating to the offering of goods / services to such citizens (irrespective of whether payment is required) or monitor the behaviour of such citizens in the EU. Such businesses will be obliged to appoint an EU-based representative.
Where a controller or processor has more than one establishment (eg office) in the EU, the GDPR recognises the ‘one-stop-shop’ through the concept of a ‘main establishment’ with a single lead supervisory authority (see point 13 for further details).
2. Data Protection Officer (DPO)
Businesses will need to decide if they need to appoint a DPO. The following entities must appoint a DPO:
- businesses that engage in large scale regular and systematic monitoring of individuals and
- businesses that engage in large scale processing of special categories of personal data (see our GDPR jargon buster) or data relating to criminal convictions / offences
Even if the GDPR does not require the appointment of a DPO, some businesses may appoint a DPO on a voluntary basis. The GDPR rules relating to DPOs apply whether the appointment is voluntary or mandatory. Where a business is not required to appoint a DPO and tasks a person with responsibility for GDPR compliance, care should be taken to ensure that that person is not deemed to be a DPO, as this will give rise to the additional GDPR obligations.
As stated above, all public authorities must appoint a DPO and it is possible for a single DPO to be designated for several public authorities, taking account of their organisational structure and size. It is also possible for a single DPO to represent a number of private businesses.
In Guidelines adopted on 13 December 2016 and revised on 5 April 2017, the Article 29 Working Party (Working Party) recommends that unless it is clear that a controller or processor is not required to designate a DPO, then controllers and processors should document the internal analysis carried out to determine whether or not a DPO is to be appointed in order to be able to demonstrate that the relevant factors have been taken into account properly.
The role of a DPO is to advise the business (be it a controller or processor) on its obligations under, and to monitor compliance with, the GDPR. They will also cooperate with and act as a contact point for the Data Protection Authority (DPA). They should report to the highest management of the business, be independent and can fulfil other tasks as long as there is no conflict of interests. They should have expert knowledge of data protection law and practices. The DPO may be a member of staff or it may be outsourced. Whoever the person is, the DPO must receive sufficient resources (ranging from financial to infrastructure and staff) in order to carry out its tasks.
The DPO must be involved in all issues which relate to the protection of personal data within the business, in particular by organising training and establishing a network of persons who are aware of the data protection issues within the organisation. They are also bound by confidentiality.
DPOs are also the contact point for individuals within or outside the organisation with regard to all issues relating to the processing of their personal data and to the exercise of their rights under the GDPR.
Businesses must not interfere with the DPO and they cannot penalise or dismiss the DPO in relation to the performance of his/her tasks. It is an offence for a business not to appoint a DPO where they are obliged to do so and they may be subject to fines.
The requirements around consent have been strengthened by the GDPR. This means that where a business intends to rely on consent for the lawful processing of personal data, they must be able to demonstrate that valid consent has been received from each individual whose personal data is being processed. To be a valid lawful basis for processing data, consent must be freely given, specific, informed, unambiguous and be in plain language. Individuals also have the right to withdraw consent at any time and it must be as easy to withdraw as to give consent.
Consent will not be regarded as freely given if the individual has no genuine or free choice or is unable to refuse or withdraw consent without detriment eg in an employee / employer relationship. If processing has multiple purposes, consent should be obtained for each of them. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations. For consent to be informed, the individual should be aware of the identity of the controller and the processor and the purpose of the processing. An unambiguous indication of an individual’s consent may include ticking a box when visiting a website or a statement or conduct which clearly indicates the individual’s acceptance of the proposed processing of their personal data eg responding to an email requesting consent. Silence, pre-ticked boxes or inactivity will not constitute consent. The onus will be on the business to demonstrate that consent has been received and so a record should be kept which evidences consent.
Under the GDPR, the age of consent in relation to digital services is 16 but the Irish Government recently announced that it will lower this to 13 years. This means that businesses will need to get consent from the parent or guardian before they allow children under the age of 13 to access their online services.
Where special categories of personal data are processed (such as data relating to health, political opinions or religious beliefs) an individual must give explicit consent unless the business proposes to rely on another basis as set out in the GDPR to process the individual’s personal data eg processing is necessary to perform obligations under employment, social security or social protection law.
4. Enhanced Rights for individuals
Under the GDPR, individuals have a right of access to their personal data, a right to rectify inaccuracies in their personal data, a right to have personal data erased in certain cases, a right to restrict processing of their personal data, a right of portability (Data Portability Right), a right to object to data processing and a right not to be subject to automated processing including profiling (Right to No Profiling).
- Data Portability Right – this allows individuals to receive their personal data from a business or have it transferred to another, where technically feasible. It only applies to personal data given to the business by the individual. An individual may only exercise the Data Portability Right where processing is based on consent or under a contract and the processing is carried out by automated means. The data must be provided by the business in a structured, commonly used and machine-readable format.
- Right to No Profiling - Individuals also have the right not to be subject to a decision based solely on automated processing, including profiling which is defined as:
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a person, in particular to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
While an individual has the right not to be subject to profiling, this does not apply where the processing is authorised by European or Member State law (for example, if the individual is being investigated for fraud or tax evasion purposes); the processing is necessary for entering into or performance of a contract between the individual and a controller; or where the explicit consent of the individual has been obtained.
5. Reduced time period for dealing with individual’s rights
When an individual makes a request (eg for access to their personal data), businesses must provide the relevant information without undue delay and within one month of receipt of the request. This has been reduced from 40 days. The one month period can be extended to two months where requests are complex or numerous.
Information must be provided free of charge but a business may charge a reasonable fee for any further copies requested by an individual or where access requests are manifestly unfounded or excessive taking into account the administrative costs of providing the information.
If a business refuses to respond to a request, they must, without delay and at the latest within one month, explain why and inform the individual of their right to complain to the DPA and their right to seek a judicial remedy.
6. Obliging businesses to be clearer about how they use personal data
Businesses must be more transparent as to how they use personal data and so must now provide information to individuals about its processing of their personal data unless the individual already has this information. The information to be provided includes the identity and contact details of the controller and its DPO (if any), the purpose of the processing as well as the legal basis for the processing as set out in the GDPR (eg processing is based on consent, processing is necessary to perform a contract etc) who are the recipients of the personal data, details of any transfers outside the EU, how long the data is held, the right to request access as well as rectification or erasure of their personal data and the right to lodge a complaint with the DPA (to name but a few).
This information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Where the processing is addressed to a child, the information or communication should be in clear and plain language that a child can understand.
7. Data Protection Impact Assessment (DPIA)
Where processing is likely to result in a high risk to the rights of individuals, businesses must carry out an assessment of the impact of the processing operations on the protection of personal data and must seek the advice of its DPO (if any) when carrying out a DPIA.
Examples of high risk activities include:
- the processing of special categories of personal data or personal data relating to criminal convictions and offences is on a large scale
- systematic monitoring of a publicly accessible area on a large scale (such as use of a camera system to monitor driving behaviour on roads)
- systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing (including profiling) and on which decisions are based that produce legal effects concerning the individual, or similarly significantly affecting the individual (eg a business creates a national credit rating or fraud database)
Businesses will be obliged to consult with the DPA in advance of processing where a DPIA indicates a high risk, in the absence of any measure taken by the business to mitigate that risk.
A DPIA must include a description of the processing operations and their purpose, an explanation of the necessity and proportionality of the processing operations, an assessment of the risks to the rights and freedoms of the individuals and the measures taken to mitigate the risk (including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR).
8. Data Breach Notifications
When a personal data breach occurs, the business must (no later than 72 hours after becoming aware of it), notify the breach to the DPA unless the breach is unlikely to result in a risk to the rights of individuals. If the notification is not made with 72 hours, a reason for the delay must be furnished. For example, a breach that would not require notification to the DPA would be the loss of a securely encrypted mobile device, used by the business and its staff. Provided the encryption key remains within the secure possession of the business and it is not the sole copy of the personal data, then the personal data would be inaccessible to an attacker. This means the breach is unlikely to result in a risk to the rights of the individuals in question. However, if it later becomes evident that the encryption key was compromised or that the encryption software or algorithm is vulnerable, then the risk to the rights of individuals will change and notification to the DPA may be required.
If the breach is likely to result in a high risk to the individual, they should also be notified of the breach without delay in clear and plain language but notification is not required in instances where, for example, it would involve a disproportionate effort in which case, a public communication would suffice. By way of example, if an online business suffered a cyber-attack where usernames, passwords and the purchase history of its customers are published online by the attacker, this the breach is likely to result in a high risk to individuals and so, the business would have to notify the breach to those affected as well as to the LSA if it involved cross-border processing.
Processors of personal data are required to notify the controller without undue delay after becoming aware of a data breach and controllers must document all breaches. Notifications should include (i) the nature of the breach including the categories and approximate number of individuals concerned as well as the categories and approximate number of records concerned; (ii) the name and contact details of the DPO or other person where more information can be obtained; (iii) the likely consequences of the breach; (iv) the measures taken (or proposed to be taken) by the business to address the breach including measures to mitigate its possible adverse effects.
9. Data Protection by Design and Default
The GDPR introduces the new concept of privacy by design and by default. This is intended to strengthen the protection of privacy by requiring businesses to build consideration of privacy into their product and service design processes.
Privacy by design requires businesses at the time of the determination of the means for processing and at the time of data processing itself, to implement appropriate measures (such as pseudonymisation) which are designed to implement data protection principles and to integrate the necessary safeguards into data processing in order to meet the requirements of the GDPR and to protect the rights of individuals. In doing this, businesses must have regard to:
- the state of the art
- the cost of implementation
- the nature, scope, context and purposes of the processing and
- the risks of varying likelihood and severity for the rights of individuals posed by the processing.
Privacy by default requires businesses to ensure that by default, only personal data necessary for each specific purpose of the processing is processed. This applies to the amount of personal data collected, the extent of processing, the period of storage and accessibility. In particular, such measures must ensure that by default personal data is not made accessible (without the individual's intervention) to an indefinite number of natural persons.
10. Right to Compensation for individuals
An individual who has suffered damage as a result of an infringement of the GDPR has the right to receive compensation from a business for the damage suffered. To avoid liability, a business will have to prove that it was not in any way responsible for the event giving rise to the damage. If a business (as controller) engages another company (as processor) and both are responsible for the damage caused, they will be jointly liable. A business will be entitled to recover from the other company that part of the compensation which corresponds to their responsibility for the damage.
Individuals also have the right to make a court application to appeal certain acts and decisions of the DPA and may apply to court for relief against businesses where their rights have been infringed as a consequence of non-compliance with the GDPR.
11. New obligations for processors
The GDPR strikes an even balance between controllers and processors by making them jointly and severally liable according to their respective responsibility for the harm caused by a breach of data protection law. Under the GDPR, direct statutory obligations are imposed on processors – this means that processors are subject to direct enforcement by the DPA, as well as fines and compensation claims by individuals for any damage caused by breaching the GDPR. This is a significant change as currently processors only have to comply with the terms of the processing contract which they have agreed with the controller.
The GDPR also requires certain mandatory terms to be included in a contract between a controller and processor such as requiring a processor to only process data on the documented instructions of the controller, to sub-contract only with the controller’s prior consent, to ensure that the processor’s staff are committed to confidentiality and to assist the controller in complying with its data breach notification obligations as well as the rights of individuals.
12. Increased Penalties
The penalties for non-compliance with the GDPR have been increased. For example, businesses can be fined up to €20 million or 4% of annual global turnover whichever is the greater for offences such as not having sufficient consent from individuals for processing their personal data or for violation of the basic principles for processing (namely personal data is processed lawfully, fairly and in a transparent manner; is collected for a specified, explicit and legitimate purpose; is adequate, relevant and limited to what is necessary for the purpose; is accurate and kept up to date; is kept for no longer than is necessary; and is kept secure).
Businesses can also be fined up to €10 million or 2% of annual global turnover whichever is the greater for offences such as not conducting a DPIA, not having their records in order or not notifying the supervising authority about a breach.
The above penalties apply irrespective of whether businesses are controllers or processors.
13. Ability to appoint a Lead Supervisory Authority (LSA)
Enforcement of the GDPR is the responsibility of the DPA (in Ireland this is currently the Data Protection Commissioner until it is replaced by the (yet to be established) Data Protection Commission). Each Member State will appoint one or more independent public authorities to be responsible for monitoring the application of the GDPR. Businesses must cooperate with the DPA on request.
Businesses that operate in more than one Member State should appoint the LSA which will have the primary responsibility for dealing with queries and complaints regarding cross-border processing. The LSA must be the DPA in the EU member state where the ‘main establishment’ of the business is located. Generally, the main establishment is the place of central administration of the business. However if the data protection decision-making occurs elsewhere in the EU, the establishment where such decision-making takes place is the main establishment.