GDPR - What happens now? Dispute Resolution ∙ Corporate ∙ Employment ∙ Property ∙ Immigration Articles from our solicitors Contact Sejal Raja, Partner and Head of Employment T. 020 7227 7410 [email protected] GDPR articles from our solicitors Data has become the most valuable commodity of the digital era. In Europe, the value of the data economy is thought to be around the €50 billion mark and projections suggest that this figure could rise to €111 billion by 2020. With such rapid development in the collection, transfer and processing of data comes not only increased risk of data breaches, but the risk that those breaches will be of a far greater scale and consequence. It is no wonder then that the EU has seen fit to implement a new data protection framework. The General Data Protection Regulation (GDPR) will be directly applicable in all member states from 25 May 2018. In this booklet we take a look at some of the key features of the GDPR for organisations and individuals. Call or email us to talk about how we can help with your legal and business challenges: Sejal Raja, Partner T. 020 7227 7410 E. [email protected] Stephen Blair, Partner T. 020 7227 7254 E. [email protected] Note: Accurate as printed at end March 2018 per ICO guidance. Contact Oliver Haddock, Solicitor T. 020 7227 7433 E. [email protected] or Philip Maddock, Partner T. 0207 227 7381 E. [email protected] A Data Protection Officer’s conflicting duties The GDPR makes the appointment of a Data Protection Officer (DPO) mandatory in certain circumstances. Public authorities must appoint a DPO, as must controllers or processors which process special category personal data on a large scale or those who engage in regular or systematic monitoring of data subjects on a large scale. A DPO’s duties include aligning an organisation’s data protection policies and practices with the GDPR. The DPO must be ‘properly involved’ in all matters relating to data protection at the organisation, which would place demands on the DPO’s time. Under the GDPR ‘the DPO’s tasks are defined as: • to inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws • to monitor compliance with the GDPR and other data protection laws, and with your data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits • to advise on, and to monitor, data protection impact assessments • to cooperate with the supervisory authority • to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).’ One of the most difficult elements of the DPO’s role is to reconcile their potentially conflicting duties to their employer on the one hand and the ICO on the other. As such, a DPO must have some level of independence from their employer in order to fulfil what may at times be conflicting duties. It follows that an organisation must not attempt to dictate the way in which a DPO fulfils their obligations under the GDPR, as the regulation clearly states that a DPO should not ‘receive instructions’ from the organisation in this respect. In recognition of this potentially difficult balancing act, employment protection is afforded those taking on the role. The GDPR confirms that the DPO ‘shall not be dismissed or penalised…for performing his tasks’. These complications should be considered when selecting a suitable candidate for the role. The wrong choice could risk exposing the business to liability and/or undermining business needs. Contact Sejal Raja, Partner and Head of Employment T. 020 7227 7410 [email protected] I’ve received a subject access request – What do I do now? Data subjects have the right to: • obtain confirmation that their personal data is being processed • access the data that is being processed, including receiving a copy of it • be provided with supplemental information about the processing Data subjects can access this by making a ‘subject access request’. Charging fees With regards to subject access requests, the current £10 fee has been removed but if a request is ‘manifestly unfounded or excessive’, you can charge a fee. What amounts to ‘manifestly unfounded or excessive’ is not defined. Although guidance is likely to be issued the meaning will ultimately depend on the approach from courts. Deadlines for responding The deadline for responding has changed. Organisations must respond to requests ‘without undue delay’ and at least within one month. It is possible to extend this by two months so long as the person making the request is informed before the month’s expiry about the extension and the reasons why further time is required. This will usually be the case if the request is particularly complex or the documents to be provided are voluminous. They must be given an updated timeframe for response. What personal data should we provide? In terms of the information that should be provided, GDPR says that that ‘a copy of the personal data’ that is being processed. This can include all the usual pieces of information but also wherever the data subject’s name is mentioned, for example, in emails, provided there is some other pertinent or identifying information mentioned too. In addition, you should provide supplemental information such as the purposes of processing the information, the categories of data processed, the recipients of any personal data, the envisioned retention period and the individual’s right to erasure. You can take some immediate steps in order to prepare for a subject access request. Develop template response letters to ensure that all elements of supporting information is provided. Assess your organisation’s ability to collate, retrieve and provide the data. Contact Sejal Raja, Partner and Head of Employment T. 020 7227 7410 [email protected] What do I do if there has been a data breach? Under the GDPR, organisations must report any data breaches to the ICO within 72 hours of the organisation becoming aware of it. Reporting data breaches Unlike the previous regime, this has now become a mandatory requirement and organisations may also need to inform any data subjects of the breach. However, it is not necessary to report every breach and only those that are likely to affect the rights or freedoms of the individual, for example by risking identity theft, discrimination or financial loss. Within the breach notification, employers must state what has happened, why and how the breach occurred and how you are rectifying the situation and protecting against the breach happening again in the future. ICO powers Under GDPR, the ICO has many powers of enforcement, including investigative powers, the ability to make compliance orders and imposing financial penalties. Fines for data breaches There has been much concern about the fines that can be imposed under GDPR. They are described as those that are ‘effective, proportionate and dissuasive,’ being up to €20 million or 4% of the organisation’s global turnover, whichever is higher. The ICO has confirmed, however, that these top end fines will be rare and reserved for only the most egregious breaches. What should you do now? • Ensure you have policies and processes in place that ensure data breaches are avoided in the first instance where possible and responded to in line with GDPR timescales • Ensure records of all data breaches are kept. It would be good practice keep an internal record of even the less serious breaches that do not require notification to the ICO • Liaise with IT teams to implement any technical measures to protect personal data Contact Stewart Duffy, Partner T. 020 7227 7418 E. [email protected] Unlawful obtaining of personal data – A warning for regulated professionals In November 2017 The Daily Post reported that hundreds of North Wales health workers had been ‘caught snooping’ on their own medical records and those of family members. The report goes on to detail the results of a Freedom of Information request made to Betsi Cadwaladr University Health Board. This revealed that staff members had accessed medical records of family members on 211 occasions between April 2016 and June 2017. Monitoring for unauthorised access Through the National Intelligent Integrated Audit Solution (NIIAS), NHS Wales actively monitors for a variety of types of unauthorised access to electronic health records, including if a staff member accesses their own record, the record of a family member, colleague or of a person living at the same address or neighbouring area. NHS Trusts are expected to log access to medical records and to audit such access, at least periodically. Contact Stewart Duffy, Partner T. 020 7227 7418 E. [email protected] Footnotes  http://www.dailypost.co.uk/news/north-wales-news/betsi-cadwaladr-medical-records-access-13920804 Prosecutions of staff Successful prosecutions for unlawfully obtaining personal data have been brought against NHS staff, members of the probation service and the police force. However, the Daily Post report is striking because of the scale of unauthorised access which appears to have occurred. The offences set out in the Data Protection Act 1998 are punishable by the imposition of a fine. They are not recordable offences. The position is likely to change when that act is replaced in the coming months. If enacted in its current form, the Data Protection Bill would make such offences recordable offences which would be included on the Police National Computer (PNC). They will continue to be punishable by fines. The practical consequences go beyond the imposition of a fine. Media reports of successful prosecutions demonstrate that in many cases, the conduct which led to prosecution has resulted in the loss of employment. For registered regulated professionals it may also lead to regulatory sanctions. Take home points Organisations should be aware of the possibility of criminal prosecution for unlawfully accessing records. When conducting or reviewing your data security arrangements, look at access controls which mitigate the risk of unauthorised access of records by employees. Contact Holly Bridden, Solicitor T. 020 7227 7455 E. [email protected] or Stewart Duffy, Partner T. 020 7227 7418 E. [email protected] We are all data subjects – What rights do we have? By Holly Bridden and Stewart Duffy This briefing considers the rights of data subjects which have either been strengthened or introduced by the GDPR. A data subject’s right to fair processing is a fundamental right recognised in the EU Charter. The following rights are provided for in the GDPR: • Right to be informed • Right of access • Right to rectification • Right to erasure • Right to restrict processing • Right to data portability • Right to object • Right not to be subjected automated individual decision making, including profiling, where the decision will have legal or other significant effects • Right to a remedy Conflicting rights of data subjects It is important to bear in mind that the data which is subject to these rights may constitute the personal data of more than one data subject and the rights of data subjects may conflict with one another. The GDPR does not give automatic priority to one data subject’s rights over another’s and a balancing exercise will have to be undertaken on case by case basis. The right to be informed The right to be informed is reflected in the requirement for the controller to provide privacy notices to data subjects at the time they collect data from them. The GDPR sets out detailed requirements as to the information to be provided and makes separate provision for privacy notices to be provided when personal data is collected from third parties. In an important development controllers are required to specify the lawful ground(s) which they rely on for processing. The right to access Long established subject access rights are maintained in the GDPR with some important changes. It will no longer be permissible to charge for the majority of subject access requests and the timeframe for responding to such requests is shortened to 30 days, subject to the possibility of extension in certain circumstances. As under the existing regime the right of access is a qualified right. The right to rectification Data subjects have the right to obtain rectification of inaccurate personal data without undue delay and taking into account the purposes of processing, the right to have incomplete personal data completed. The right to portability In effect this right is a subject access right. However, it applies only to personal data which the data subject has provided to a data controller (and not information generated from that personal data), where the processing is based on the individual’s consent or for the performance of a contract and when processing is carried out by automated means. This will include any computer based processing. Data controllers will be required to provide personal data to individuals, or in some cases other organisations, without hindrance, in a structured machine readable format. The EU’s Article 29 Working Party has adopted guidelines in relation to the right to portability. The Working Party advises that the outcome on an assessment regarding a user’s health… [cannot of itself] be considered as provided by the data subject. The term ‘provided by’ includes personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but does not include data resulting from subsequent analysis of that behaviour. That is not to say that such data is not personal data but simply that it falls outside the scope of the right to portability. Contact Holly Bridden, Solicitor T. 020 7227 7455 E. [email protected] or Stewart Duffy, Partner T. 020 7227 7418 E. [email protected] Contact Holly Bridden, Solicitor T. 020 7227 7455 E. [email protected] or Stewart Duffy, Partner T. 020 7227 7418 E. [email protected] The right to restrict processing Under Article 18 data subjects have the right to restrict processing where: • Accuracy of the data is contested • The processing is unlawful and the data subject opposes the erasure of data • The controller no longer needs the data, but the subject requires the data for the establishment, exercise or defence of legal claims, or • The data subject has objected to the processing pursuant to Article 21(1) pending the verification as to whether legitimate grounds of controller override those of the subject Where processing has been restricted, further processing, other than storage, may only go ahead with the subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of another natural or legal person of for reasons of important public interest of the EU or a member state. The right to object Where the public interests or legitimate interests conditions in Article 6 are relied upon, data subjects have the right to object to their personal data being processed at any time. The controller is not permitted to carry on processing unless it can demonstrate that there are compelling legitimate grounds which override the interest, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where processing is undertaken in reliance on consent, withdrawal of consent will render further processing unlawful in the absence of another relevant ground. Rights relating to automated decision making and profiling The GDPR’s provisions are similar to those contained within the Data Protection Act. Individuals have a right not to be subject to a decision when it is based solely on automated processing, including profiling and where that decision produces a legal or similarly significant effect on them. This does not apply where it is necessary for entering into a contract, authorised by law or based on explicit consent. The processing of special category personal data for automated decision making is subject to additional restrictions. As the Working Party notes, ‘Profiling is a procedure which may involve a series of statistical deductions. It is often used to make predictions about people.’ The right to have data erased This principle requires personal data to be accurate. Under the Data Protection Act, a data subject may apply to the court to request that the inaccurate data which is being processed is blocked, erased, rectified or destroyed. Contact Holly Bridden, Solicitor T. 020 7227 7455 E. [email protected] or Stewart Duffy, Partner T. 020 7227 7418 E. [email protected] The GDPR does not provide an absolute right to be forgotten. It provides data subjects with a right to erasure without undue delay where one of these conditions is met: • The personal data are no longer necessary in relation to the purposes for which they were collected • Where the consent on which processing is based is withdrawn • The data subject objects to the processing and there are no overriding legitimate grounds for the processing • Personal data have been unlawfully processed However, there are exemptions. Some organisations will be able to decline requests for erasure in many cases as processing (including retention of records) could be considered necessary for compliance with a legal obligation, for the performance of a task carried out in the public interest, or the establishment, exercise or defence of legal claims. The right to a remedy Data subjects have the right to compensation when they have ‘suffered material or nonmaterial damage as a result of an infringement of this Regulation.’ Damages will remain available for ‘distress only’ claims, in line with current UK case law. In terms of liability, processors will only be liable to the extent that they have acted outside of their instructions or failed to comply with aspects of GDPR specific to their own obligations. London 85 Fleet Street London EC4Y 1AE T +44 (0)20 7222 7040 F +44 (0)20 7222 6208 Leeds Verity House 6 Canal Wharf Leeds LS11 5PS T +44 (0)113 341 1900 F +44 (0)113 243 2205 Cardiff Southgate House Wood Street Cardiff CF10 1EW T +44 (0)29 2034 3035 F +44 (0)29 2034 3045 We are a leading UK-based law firm providing business, regulatory, not-for-profit and private legal advice. Services for businesses, not-for-profit and the public sector include: commercial, corporate, employment, immigration, property, dispute resolution and regulatory advice. Services for private individuals include: tax, wills, estates, international tax and wealth structuring, property and employment advice.