The General Data Protection Regulation (GDPR) will require organisations that process European personal data to have a comprehensive compliance program.
The new GDPR, which will replace the existing UK Data Protection Act 1998 (DPA), will be in force on 25 May 2018. The GDPR will be effective in the European Union (EU) immediately on this date without any further laws being required. Following the United Kingdom’s (UK) exit from the EU, the government will need to enact domestic data privacy legislation to replace the GDPR. The Queen’s Speech included details of a new Data Protection Bill which is likely to be the successor data protection law although the GDPR will remain relevant to UK businesses that target the EU market.
Territorial Scope of the GDPR
The GDPR has extraterritorial effect and applies to
- processing activities by data controllers and data processors established in the EU, whether or not the processing takes place in the EU;
- the processing of personal data of data subjects who are in the EU by a data controller or data processor not established in the EU where the processing activities relate to offering goods or services to data subjects in the EU; and
- the processing of personal data of data subjects who are in the EU by a data controller or data processor not established in the EU where the processing activities relate to monitoring their behaviour in the EU.
The extraterritorial scope of the GDPR represents a significant expansion of EU data protection obligations to cover all processing activities relating to EU-based data subjects.
GDPR and the UK After Brexit
When the UK exits from the EU by 29 March 2019, the GDPR will only continue to apply to a UK organisation to the extent that it falls within the extraterritorial scope summarised above. For purely UK processing activities relating to UK individuals, the GDPR will no longer apply although the UK is highly likely to have a broadly equivalent replacement data protection law at that stage for domestic processing activities. Therefore, the government will need to pass UK data privacy legislation in place of the GDPR for UK data processing and, perhaps, also processing of personal data of UK citizens by non-UK based organisations. The scope and stringency of this new legislation will be critical to whether the UK is still deemed to have “adequate” data privacy standards when it leaves the EU. This is, of course, relevant to whether or not data transfers to the UK from the remaining EU states are restricted or whether they are permissible without further obligations needed by those EU-based data exporters. The Queen’s Speech included details of a new Data Protection Bill which includes the following:
- new rights to require major social media platforms to delete personal information;
- a mechanism for the police and judicial authorities to continue to exchange information quickly and easily with the UK's international partners in the fight against terrorism and other serious crimes;
- the regime for data processing by law enforcement agencies will be updated and will cover domestic processing and cross-border transfers of personal data; and
- the powers and sanctions available to the Information Commissioner’s Office will be updated.
No other details of the Data Protection Bill have yet been publicised although it is likely that it will be more comprehensive in scope if it is to succeed the GDPR.
Most UK businesses are almost certainly going to need to transfer personal data to Europe and also to other countries outside the EU such as the United States. Currently, whilst the UK remains part of the EU, there are restrictions against transferring personal data outside the EU without consent from the individual, other than to certain “adequate” countries such as Canada or Switzerland or unless the business has in place a legally permissible mechanism, such as model clauses or binding corporate rules.
Processing of Personal Data Under the GDPR
Where the GDPR applies to the processing of personal data, EU companies should conduct an initial assessment on whether it (or its affiliates) are acting as a data controller or a data processor in these processing activities.
The data controller is ultimately responsible for compliance with the data protection principles which are that personal data must be
- processed lawfully, fairly, and in a transparent manner in relation to individuals;
- collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Consent and Privacy Notice Requirements
Personal data is lawfully processed if the data subject has consented to the processing or a permitted derogation applies such as legal or contractual necessity. Further, there are strict conditions imposed on whether consent is validly obtained by the data controller.
The data controller must provide a privacy notice to data subjects regarding the processing of their personal data. The information in the privacy notice is summarised below and must be provided at the time of the collection of the personal data or, if it was collected via a third party, within a reasonable period of being collected. The privacy notice must specify certain information, and ensuring that privacy notices are compliant with the GDPR is likely to be a complex process for many organisations. The privacy notice must be concise, transparent, intelligible and easily accessible, written in clear and plain language, and provided free of charge.
There are also direct obligations on data processors under the GDPR regarding
- the security of processing operations;
- appointment of a Data Protection Officer;
- the engagement of sub-processors; and
- the notification of any breach of data protection obligations (including data security incidents) to the data controller.
Data Protection Officer
The appointment of a Data Protection Officer (DPO) is required where there is regular and/or systematic monitoring of individuals or processing on a large-scale of sensitive personal data or criminal conviction data. Organisations can still appoint a DPO even if one is not required, but it should be clear that this is an organisational role rather than required under the GDPR. The DPO must be accessible to Europe-based individuals about whom the organisation processes personal data as well as the supervisory authority. He or she must be suitably skilled and experienced but also be able to provide training to staff. Where the DPO sits in an organisation is likely to be a difficult assessment. The role must be sufficiently resourced and independent to be effective and must also have access to management meetings and be involved in relevant business discussions but without conflict of any other role the DPO may have in the organisation.
Additionally, for organisations that are not established in the EU, a representative based in the EU should be appointed. Such an appointed representative may wish to have a letter of indemnity from the organisation to cover himself/herself from liabilities arising from this role.
The DPA does not have a mandatory data breach reporting obligation. The GDPR, however, does include a mandatory obligation to notify the data protection authority within 72 hours of becoming aware of the breach and without undue delay and, in certain circumstances, the individuals affected by the breach. The UK government will, therefore, need to decide if it will include a data breach notification obligation in the new data privacy legislation applicable after Brexit, either similar to the stringent GDPR requirement or an alternative obligation, perhaps with a longer notification period and which is triggered for significant data breaches only, which may be more pragmatic and more suited to the UK’s approach of business-friendly legal requirements.
Recommended Steps to Comply With the GDPR
Organisations can consider taking steps to prepare for the GDPR such as the following:
- conduct an assessment of what personal data is processed or otherwise stored or held by the organisation and/or its affiliates, where it is held, the categories of data subjects (e.g. employees, contractors, contact points at commercial organisations, customers etc), the nature of the personal data (including if it is sensitive personal data), for how long it is being retained, whether it is current or historical, how it was obtained (so far as possible), how it is used and with whom it is shared, and where the locations are of the recipients of the personal data (i.e. identify the data flows);
- review the consents (or other applicable lawful processing derogations) obtained for the processing of the personal data and any privacy notices, policies, or other information provided to data subjects for this processing and update the notices or policies as necessary under the GDPR;
- identify any international data flows and any applicable data transfer agreements (including model clauses approved by the European Commission) or pursuant to the Privacy Shield and ensure that all international data flows are conducted on a lawful basis;
- review and update as necessary any procedures for responding to data subjects accessing personal data or exercising any other rights such as rectification or blocking of personal data;
- review data security processes and review and update any (or prepare a) data security incident response plan which includes the obligation to notify the supervisory authority within 72 hours for certain high-risk incidents;
- consider if the organisation (or one of its EU affiliates) needs to appoint a Data Protection Officer (this is required where there is regular and/or systematic monitoring of individuals or processing on a large-scale of sensitive personal data or criminal conviction data);
- review and, as necessary, amend processing provisions with data processors; and