UK Government to consult on GDPR derogations

The Digital Minister, Matt Hancock, has confirmed the UK government will take advantage of the flexibilities afforded by the GDPR to implement UK-specific rules on aspects of data protection, "We are now working on the overall approach and the details of that implementation [of the GDPR]," Mr Hancock said in Parliament recently. "We plan to consult with stakeholders on key measures where we have the opportunity to apply flexibilities."

Mr Hancock also reconfirmed that the GDPR will become directly applicable in UK law on 25th May 2018.

The full Hansard account is available here.

Working Party 29 adopt GDPR guidelines

In December, Working Party 29 ("WP29") adopted guidelines on three key areas, each with a set of frequently asked questions. The right to data portability, data protection officers and identifying a controller or processor's lead supervisory authority. WP29 has extended the deadline for comments on these until 15 February 2017.

All the WP29 guidelines and frequently asked questions are available here.

Guidelines and Frequently Asked Questions on the right to data portability, adopted on 13 December 2016

Article 20 creates a new right to data portability. In essence, data subjects are entitled to receive a download of the personal data which they provided, in a format which can easily be re-used and shared with other data controllers, or request that the data is transferred directly to another data controller. The underlying principle is to support the free flow of personal data in the EU, and foster competition by facilitating switching between service providers.

A good example of this will be the porting of information submitted in an insurance application form, to one or more other insurers the following year, in order for an insured to obtain competitive quotes.

Key points to note from the guidance are:

  • The right covers data provided knowingly and actively by a data subject, and personal data generated by his or her activity. An example of the latter could be raw data provided by a smart meter, or by analogy by a telematics device (but not the user profile created by the data controller as a result). WP29 expressly state that the right should not be restricted to (for example) information provided in an online form.
  • WP29 recommends that industry stakeholders and trade associations work together to agree a common set of interoperable standards and formats to enable data portability. It emphasises that this is not a requirement to have "compatible systems".
  • A data controller receiving data in this way should delete any data which is not relevant to the purpose for which it has received it.
  • The GDPR requires that data should not be ported if it would adversely affect the rights and freedoms of other data subjects. This would not prohibit, for example, the forwarding on of a webmail address book to a new webmail account. By analogy, it would not prohibit the forwarding on of data regarding other insureds on the same policy. WP29 recommends that the data subject is given the means to select the relevant data and exclude (where not relevant) other data subjects' data.
  • Data controllers must inform data subjects of the right of portability. WP29 recommends that this should also be done before any account closure (or by analogy before a policy expires). WP29 also recommends that data controllers should explain the difference in the types of data which the data subject will have access to, in contrast to a data subject access requests.
  • If the data is large and complex, WP29 acknowledges that this could cause difficulties for both data subjects and data controllers. WP29 suggests that it is crucial to put the individual "in a position to fully understand the definition, scheme and structure of the personal data" and suggests that data could first be provided using a dashboard, allowing the data subject to port subsets of the personal data rather than the whole set.
  • WP29 recommends that when sending a data subject his/her data, the data controller makes them aware of steps they may wish to take to protect the security of that data, such as encryption.

Guidelines and Frequently Asked Questions on Data Protection Officers, adopted on 13 December 2016

Art 37(1) of the GDPR requires the designation of a DPO in 3 specific cases:

(i) processing is by a public authority or body;

(ii) the core activities of the controller or processer consist of processing operations "which require regular and systematic monitoring of data subjects on a large scale"; and

(iii) the core activities of the controller or processer consist of the processing on a large scale of (i) sensitive personal data or (ii) personal data relating to criminal offences (while the text of the GDPR says it is (i) and (ii), WP29 says the "and" should be read as an "or").

Most if not all insurers and brokers will be required to appoint a DPO.

Some key points to note are:

  • Whilst it is not possible for WP29 to provide precise numbers as to what would be "large scale" it anticipates that over time, this will become apparent by its publicising examples of relevant thresholds. WP29 gives as an example of large scale processing "processing of customer data in the regular course of business by an insurance company or bank".
  • WP29 seems to suggest that a DPO must be in a position to communicate in the language spoken by the supervisory authorities and data subjects concerned. This could be an interesting challenge for a DPO with a European remit.
  • The expertise and experience required of a DPO will depend on the type and scale of the personal data held by the organisation.
  • DPOs should regularly participate in meetings of senior and middle management. He/she should be present when decisions with data protection implications are taken. If the business decides not to follow the DPO's advice this should be documented.
  • In order for the DPO to act in an "independent manner" as required under Art38, the DPO must not be told how to deal with a matter or what result should be achieved, or whether or not to consult the supervisory authority. Indeed, DPOs should not be penalised for giving challenging advice.
  • To avoid conflicts of interest, DPOs should not be in a position to decide on the "purposes and means" of processing of personal data. WP29 suggests it can be good practice to develop a policy to avoid DPO conflicts of interest.
  • WP29 recommends that a business should seek the advice of a DPO on DPIAs, including whether or not to carry one out, and whether its conclusions meet the GDPR.

DPOs should take a risk based approach, and focus their efforts on higher risk uses of personal data.

Guidelines and Frequently Asked Questions for identifying a controller or processor's lead supervisory authority, adopted on 13 December 2016

Key points to note are:

What is cross border processing: there are 2 models:

(i) The controller or processor is established in more than one Member State and personal data is processed for the activities of all of those establishments. For example, a UK company with various EU branches is likely to be cross border processing.

(ii) The controller is established in one Member State but its processing substantially affects (or is likely to) data subjects in more than one Member State. For example if a company is providing services to customers located in other Member States.

What is a lead supervisory authority: the authority with primary responsibility for dealing with cross border data processing activities, including coordinating investigations involving other 'concerned' supervisory authorities.

How to identity the lead supervisory authority: it will be the Member State where the data controller is established, if only one, or where it has its main establishment. This could be where it has its central administration, that is where decisions about the purposes and means of processing of personal data are taken. This can be split within an organisation; the example given is a bank with corporate headquarters in Frankfurt where all the banking decisions are taken, but an insurance department in Vienna.

If the company's main office is outside the EU: then the company may designate an establishment that will act as its main office, have authority to implement decisions about processing activities, and take liability for the processing, including having sufficient assets. The company may be required to provide evidence of this to the supervisory authorities. Otherwise a company will have to deal with local supervisory authorities in every Member State they are active in.

For data processors: if a case involves both the controller and processor, the lead supervisory authority should be that of the controller (provided it is established in the EU).

Organisations should consider these guidelines in its GDPR implementation plans, and if appropriate provide comments to WP29.

Working Party 29 issue 2017 GDPR Action Plan, adopted on 16 January 2017

The main lines of its 2017 Action Plan are:

  • Finalise work on 2016 topics, including guidelines on Data Protection Impact Assessments, administrative fines, and the European Data Protection Board.
  • Start work on the topics of consent and profiling, transparency, data transfers to third countries and data breach notifications.

A second Fablab will take place on April 5 & 6 2017 when interested stakeholders can provide their views and comments on the 2017 priorities.

New ICO webpage providing an overview of the GDPR

Very conveniently, the ICO has created a new webpage which will set out all guidance issued by WP29 and the ICO, and hopefully (where relevant) issued by other data protection supervisory authorities. For example, we believe the Bavarian data protection authority will be issuing guidance on what the "processing record" should look like.

Currently this webpage contains links to the WP29 Guidance set out above. In addition it states that WP29 are planning to issue guidance on:

  • Transparency

  • Profiling

  • High risk processing

  • Certification

  • Administrative fines

  • Breach notification

  • Data transfers

At the beginning of March the ICO published guidance on consent which they are seeking feedback on through public consultation, ending 31 March 2017; we will report fully on this in our next edition. The ICO is also planning on publishing guidance on contracts and liability, of which we will report on in due course.