The GDPR takes effect from 25 May 2018 and was introduced to further harmonise and modernise data protection procedures.
While many of the concepts, obligations and ideas of the existing data protection regime under the Data Protection Act 1998, ('DPA 98') which the GDPR will replace remain the same or similar, there are some significant changes.
The topic of data protection generally is a vast one and the purpose of this briefing note is to provide a summarised overview of the key changes to the existing regime.
What is new or different?
Enforcement - The fines that may be imposed for breaches of the GDPR have been significantly increased depending upon the type of breach, a fine of up to 4% of annual worldwide turnover for the preceding financial year or 20m (EUR) (whichever is the greater). The percentage fine is linked to an 'undertaking' which is phrased around corporate groups. It currently remains a grey area where an Occupational Pension Scheme fits into the undertaking concept and whether the sponsoring employer's group turnover would be factored into any fine relating to such a scheme.
Consent - This concept has been restated and revised so that there is now a requirement for demonstrable consent by the individual. Consent in this context means clear affirmative action, and the consent should be informed, specific, unambiguous and given freely. Consent given, for example, in a contract will only be valid for the specific purposes required by the contract. Consent is required for each processing purpose, and explicit consent is still required for sensitive personal data. Individuals have the right to withdraw their consent at any time.
Where pension scheme data is held and processed by and/or for trustees, currently it is likely that only implied consent has been given. Trustees will need to consider the basis on which they have consent and take steps to ensure that data subjects' consent satisfies the stricter new requirements.
The focus on the need for clear unambiguous and granular consent means it is not an easy route to satisfying the requirement for processing to be lawful and trustees in particular should consider relying on one of the other lawful reasons for processing data, the legitimate interest reason or the statutory compliance reason for auto enrolment purposes. Processing is necessary for the purposes of the legitimate interests of the data controller or the third party to whom the data is disclosed (this must be balanced against the individual's legitimate interests while it is also necessary for compliance with a legal obligation to which the data controller is subject.
Accountability, Compliance and Governance - One of the key changes is the enhanced focus on accountability and governance which will require increased awareness of the GDPR requirements. It will be important to understand the impact of the changes and identify the areas of difficulty in compliance.
An assessment of the risks of noncompliance includes provisions that promote accountability (monitoring and review) and governance. Data controllers should review what personal data they hold and any parties they share it with. Part of the overall governance focus is covered by the concept of Privacy by Design. This means appropriate technical and organisational measures to show you have considered and integrated data protection into your processing activities. Existing compliance programmes should be reviewed and adapted if necessary.
There is also a legal requirement to carry out data protection impact assessments (DPIAs) if there are proposed activities likely to result in a high risk to the rights and freedoms of individuals. What 'high risk' means is not further expanded so it may be difficult to be sure where the line lies. DPIAs will consist of a range of questions on the activity including its objectives and outcomes as well as the scale of the data being processed, whether new data is needed, what protections to privacy are being used and who might be effected and how if that protection fails. Detailed records of data processing must be kept and this will include DPIAs.
Enhanced rights of individuals - The rights of individuals as data subjects are strengthened and some new ones have been introduced:
- Right to be informed - an obligation to provide 'fair processing information' through a privacy notice. There must be transparency on how the information will be used and there is an emphasis on clear, concise notices. The list of information to be provided has been expanded by the GDPR. The time at which it should be made available will depend on when the data is collected.
- Right of access - individuals must be able to access their data to verify the lawfulness of the processing. They will do this through subject access requests. The key change here is the shortening of the time by which a response is required to one month from 40 days. The right to charge for a response has been removed except in exceptional circumstances.
- Right of erasure or rectification - in the event of inaccurate or incomplete data. This is expanded to cover more circumstances than before.
- Right to data portability - individuals may reuse and transfer their personal data for their personal use to another controller without restriction as to usability. This is a new right reflecting the changing technology landscape.
- Right to object - processing of data is subject to consent and individuals can object to certain types of processing such as direct marketing or processing for research or statistical purposes. Subjects must be given explicit notice of their right to object from the outset.
Data Breach notification - A data breach is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The GDPR introduces a requirement to notify the relevant supervisory authority of any data breach that is likely to result in a risk to the rights and freedoms of the individual affected. Failure to notify a breach is a breach of the GDPR itself. Where a breach occurs, it must be reported to the relevant supervisory authority without undue delay and within 72 hours of awareness, unless it is unlikely to result in a risk to the individuals. Any delay will need to be justified. Where there is a high risk the notification must be made to the individual as well. In this context 'high risk' for example would mean leaving the data subject open to discrimination, fraud or financial loss. The GDPR sets out the necessary information to be included in a report, including the nature, category and approximate numbers of individuals and personal data records concerned.
A robust breach detection process ought to be in place and where working with data processors or joint controllers evidence of their detection and breach management processes should be confirmed, demonstrated and records retained. It may be necessary to agree one shared process in that case or changes to each party's processes to allow them to link up and work together.
Territorial Scope - The GDPR extends to the processing of personal data of data subjects in the EU by a controller or a processor who is not established or located in the EU if they offer goods or services to data subjects in the EU or if they monitor the behaviour of data subjects where that behaviour takes place in the EU. Many non-EU businesses not previously covered by the DPA 1998 will now be covered by the GDPR and may need to consider the possibility of having representation or offices inside of the EU to manage their data protection obligations.