The General Data Protection Regulation comes into effect in mid-2018 and will introduce a number of substantive changes to data protection laws across Europe. The changes are likely to be supplemented by new rules in relation to electronic marketing and online tracking.

The GDPR will require all organisations to review how they collect, hold and process personal information and how they communicate with individuals. Organisations will need to adopt new measures and update their internal processes to demonstrate their compliance with the GDPR. The new rules will be backed up by enhanced enforcement powers.

Changes include:

Consent

There is a new requirement for `clear affirmative action' and an end to pre-ticked boxes and bundled consents.

Transparency

Organisations must provide much more information to individuals.

Lawful Processing

There are stricter rules on processing data for new purposes.

New access rights

Greater rights are given to individuals, including rights of erasure, protection against profiling, and a right of data portability.

Privacy by design and default

Existing good practice recommendations must be hard-wired into day to day operations.

Breach notifications

New express obligations to notify privacy regulators and affected individuals in the event of certain data privacy breaches.

Accountability

Organisations will have to demonstrate compliance to regulators on an ongoing basis and maintain records.

Sanctions

The power for regulators to issue fines for up to 20m or 4% of worldwide turnover, (including substantial fines for administrative breaches).

How will this affect me?

Public authorities regularly handle personal data in relation to the delivery of public services. Such processing will frequently involve sensitive (or special category) personal data, to which even stricter rules apply. Public authorities also have all the responsibilities that private sector firms do: they are employers, they operate IT systems and engage in marketing. GDPR may have an impact on freedom of information laws.

GDPR changes the basis on which public authorities can process personal data for these functions: there is less freedom to rely on legitimate interests and it is unlikely that public authorities will be able to rely upon consent as a basis for processing. The Government has proposed that an organisation will be a public authority under GDPR if it is a public authority under freedom of information laws.

Specific issues:

Data collection - do your privacy notices, client engagement and processes for collecting personal information meet the new rules on transparency and consent?

Status - bodies that perform a quasi-public role or also carry out commercial activities will need to understand what their status is under the GDPR.

Legal basis - where a public authority currently relies upon consent or legitimate interests, it will need to identify another legal basis. Do you need to clarify your statutory powers?

Consent - how do the restrictions in the GDPR on public authorities using consent interact with the express requirement to obtain consent under ePrivacy rules?

Data collection - do you clearly explain to data subjects how their data will be used? How do you communicate your privacy notice when data is provided by a third party (eg another public authority)?

Policies and procedures - are your policies for handling and retaining personal data and data subject requests adequate?

Contracts - if you use third parties to handle personal data on your behalf (for example providers of IT systems or marketing agencies), do your contracts comply with the requirements of GDPR?

Data sharing - if personal information is shared with third parties, is that being done on a fair and lawful basis, bearing in mind that many public authorities currently rely upon legitimate interests?

Freedom of information - what impact will the GDPR have on freedom of information requests?

Breach reporting - do you have internal processes in place to deal with data breaches and ensure that they are reported to the ICO? Do your staff know what to do if they suspect a data breach has occurred?

What do I need to be doing?

  • Identify your team and plan your strategy for compliance.
  • Create an information asset register what personal information and where, why, how and with whom do you process it.
  • Review the legal basis for your data processing activities.
  • Review your data collection forms and privacy notices to ensure they meet the new requirements.
  • Identify your status under the GDPR.
  • Review your processes and systems for dealing with data subjects rights, as well as responses to FOI requests.
  • Implement data governance policies and measures and training to ensure your organisation operates in accordance with the requirements of the GDPR.
  • Review your supply chain arrangements with data processors.
  • Ensure that new technology and systems are GDPR ready.