What is GDPR?
GDPR is the General Data Protection Directive, a new data protection law from the European Union that will replace the existing Data Protection Act 1998 (DPA) that many people will be familiar with. It will apply across the EU and is designed to increase the rights of individuals (called data subjects) in light of the massive change in the use of data over the last 20 years and to try and harmonise data protection law across the EU.
When does it come into force?
The GDPR must be implemented on 25 May 2018.
Who will enforce it in the UK?
In the UK, it will be enforced by the Information Commissioner’s Office (ICO) who currently deals with the DPA.
Who does it apply to?
The GDPR applies to anyone who processes or controls personal data. People familiar with the terms data controller, data processor and personal data from the DPA will have some understanding of what this means.
Why are so many people talking about it?
There are a number of reasons for this. GDPR will impose new obligations not only on data controllers (the people who decide how the data is processed) but also on data processors (the people who process the data as instructed by the data controllers). In order to comply with the GDPR, details about how data is being used and processed needs to be reviewed very carefully so that appropriate policies and protections that comply with the GDPR can be put in place.
One reason that organisations are concerned about GDPR is that penalties and fines for breaches of the GDPR could be substantial. Maximum fines could be 20 million Euros or 4% of a group global turnover. This is far higher than the fines under the DPA.
This has led to a substantial industry being set up to help organisations become compliant.
The ICO has expressed concern about scaremongering as
- Not all data breaches will need to be reported
- Fines will not always be issued and will always be huge
- Not every processing of data will require explicit consent from the data subject – while consent is one way of complying with the GDPR, there are other lawful ways to process data
Nevertheless, GDPR is important legislation with potentially high penalties and organisations cannot afford to be complacent. The ICO will be much less likely to be lenient where no effort at compliance has been made. Organisations should already have started preparing. This will include a review of what data is held, how it is being used and how it was obtained. Third parties who handle your data may need new contracts on data processing. Security measures for the data also need to be scrutinised to see that they are appropriate. Staff training on data protection will be required and documents such as privacy policies will need updating.
Importantly, this needs to be an ongoing process. This is not a one-off effort and compliance must be kept under review and updated.
What data does this apply to and what is meant by processing?
Data is not just names and addresses. It can be anything that can identify an individual or could be used with other data to identify an individual. This means that it’s not just lists of names and addresses – it might mean photos, CCTV and IP addresses of people accessing your website. And processing is similarly wide. It covers virtually anything that might be done to data, from collecting it, storing it, analysing it, using it, transmitting it, deleting it and destroying it.
What are the data protection principles?
The GDPR sets out data protection principles which need to be complied with. These include:
- Personal data must be processed lawfully, fairly and in a transparent manner
- personal data must be collected only for specified explicit legitimate purposes and must not be processed further in any manner incompatible with those purposes
- personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected
- personal data must be accurate and kept up-to-date
- personal data should not be kept longer than is necessary for the purposes of for which it is processed
- appropriate security and protection against unauthorised or unlawful processing, accidental loss, destruction or damage must be implemented using appropriate technical measures
- the data controller must be able to demonstrate compliance with the principles
Data breaches are frequently in the press. This can be as simple as a lost laptop or hacking of large organisations such as TalkTalk. In some cases, it will be necessary to make disclosures of this and very promptly. Organisations should have a policy in place so they know what to do on becoming aware of a data breach.
What should I be doing to get ready?
Many organisations will probably already have started preparing for GDPR. Exemptions are limited and it will apply to most organisations, however small.
There are a number of steps that need to be done. This will probably start with a data protection impact assessment of the data that an organisation holds, uses, how it gets it and what it does with it. This will also involve looking at the need for the data and its processing, risks and security. The results of this then needs to be reviewed against the data protection principles and the GDPR itself.
In some cases – particularly marketing – you may need to review the consents that you have for data processing. If there is doubt about what consent you have, you may not be able to market to those individuals going forward. Many organisations do not always have adequate records of the consents they obtained. Or they may have collected that data by using pre-checked tick boxes which will not be sufficient. Or perhaps they did not give clear indications in plain language of how the data will be used.
It may be necessary to delete data – for example, if it is old or if sufficient rights to process it are not held.
If data is to be exported outside the EU, then additional protections may be required as there are restrictions on this (which differ in some ways to the restrictions under the current DPA).
Under the existing regime, virtually all the obligations were imposed upon the data controller (broadly that is someone who decides how the data is to be used) rather than a data processor who processes those instructions. Under the GDPR new obligations are imposed on data processors. So, if you are a data processor of a third party’s data, you will need to review your agreements with them (as well as your own compliance with GDPR).
Consent and lawful processing
Obtaining consent to process data will become even more important in many cases in a way that complies with the data protection principles.
Consent must be an active, affirmative action. Pre-ticked boxes or opt outs will not be able to be used. Records must be kept of how and when consent was obtained.
Where data relates to various areas such as racial or ethnic origin and genetic or biometric data, more stringent rules apply.
Consent is not the only way to process data lawfully. Lawful use includes processing data to comply with a contract or legal obligation.
Data Protection Officers
Some organisations will need to appoint a data protection officer (DPO) who should be someone who understands the law and can advise and monitor compliance. Whether or not you need to appoint one is dependent on the type of organisation and type of data processing. It will not always be clear whether a data protection officer is required. If an organisation does not engage in regular and systemic monitoring of individuals, then a DPO is unlikely to be required but may choose to appoint someone as a data protection leader.
Subject Access Requests
Under the DPA, individuals could get copies of their data by paying a fee capped at £10. A data controller has 40 days to respond. Under GDPR, the response must usually be given within a month and a fee will only be able to be charged if the request is ‘manifestly unfounded or excessive’.
The government is preparing for Brexit when EU law will no longer apply in the UK. While EU Regulations such as GDPR have direct effect without the need for new laws, a Data Protection Bill has been introduced which will replicate the GDPR as a piece of UK legislation (amongst other things). The Government hopes that this will help allow the UK to have a smooth transition following Brexit and convince the EU that data protection in the UK is sufficiently strong to allow transfer of data without obstacles.
Where can I get help?
GDPR compliance will take planning and action and this article is not comprehensive. Organisations should take someone with authority to take the lead on ensuring their own compliance. There are lots of resources and guidance available from the ICO website at www.ico.org.uk. There are various commercial organisations which can assist with compliance. There are also accreditation schemes available for cybersecurity.