As you will no doubt know by now, the current law on data protection is to be updated by the General Data Protection Regulation (‘GDPR’), which comes into force on 25 May 2018. This legislation aims to bring the law of data protection in line with technological developments that have fast overtaken the current law which was implemented back in 1998. Just think how much technology has changed since 1998!
Rest assured, the majority of the new law will be much the same as the old, but GDPR is introducing a number of important changes. This article will summarise the key changes that GDPR is making to data protection law.
- Information Commissioners Office (ICO) Notification Fee
Any organisation that processes individual’s data must register with the ICO, as currently. However, the fees for registering are increasing from 1 April 2018, and are moving from a two-tier to a three-tier scheme based on turnover and number of employees.
- Record of Processing Activities
There is a new requirement to maintain a written record of your data processing activities and obligations. Certain information must be included. A data mapping exercise will help you gather all the relevant information, which will help you deal with points 3 and 4 below.
Data controllers (and in some circumstances data processors) will need to demonstrate accountability with respect to their data protection obligations. Organisations will need to show they have taken reasonable steps to comply with the data protection principles set out in the legislation. Time to review and update your privacy policies, consents, communications, and staff and operational policies and procedures. Positive action is now required by all organisations that process individuals’ data.
- Review of Consents
Going forward, consent should be “freely given, specific, informed and unambiguous”. Some types of data being collected will now require higher explicit-consent requirements. In an ideal world, express opt-in consent should be obtained from new customers etc., although there are some exceptions to this opt-in rule. You can continue to market existing customers for the same or similar types of goods/services, but make sure there is an unsubscribe option on the e-mail! Organisations should review all their processing activities that currently rely on a data subject’s consent and consider whether reliance on a different legal basis for processing is appropriate. Consent requests/statements should be: separated out; not dependant on a service being provided; active (no pre-ticked boxes); and be clear and written in plain language. Any consent requests should also make clear that the data subject may withdraw their consent at any time. Finally, procedures need to be put in place to retain records to prove that the business actually obtained the data subject’s processing consent. It is worth having a detailed overhaul in this area; it is not straightforward and individual circumstances need to be analysed.
- Data Subject Access Requests
Responses to data subject access requests must be offered free of charge (the £10 fee has been scrapped), and they must be dealt with within 30 days of a request (as opposed to the current 40-day time period).
- Right to erasure – the right to be forgotten
Individuals will be entitled to insist upon erasure of their data if: (a) it is no longer necessary for the data to be processed; (b) they withdraw their consent or object; (c) the data has been unlawfully processed; or (d) there is a legal requirement for the data to be erased. This right may be exercised against a data controller and any data processors that the data controller uses. However, there are some exceptions to this rule which will permit data to be retained.
If your organisation uses personal data to carry out profiling, there will be an obligation under GDPR to tell individuals what you are doing and how they can complain if they are not happy. Organisations also need to have appropriate safeguards in place.
- Notification of Security Breaches
Up until now, there has been no obligation to notify the ICO about any security breach of personal data. When GDPR becomes effective, there will be a new obligation to notify the ICO of all security breaches that are likely to result in a risk to the rights and freedoms of individuals. Notifications to the ICO must be made without delay, and in any event within 72 hours of becoming aware, and certain information must be included in the notification. In addition to notifying the ICO, the individuals concerned must be informed about the security breach of their data. A risk assessment for every security breach needs to be carried out and documented (even if the breach is not reported to the ICO). This document should set out the facts, effects, remedies, whether you will be notifying or not, and the reasons why. Failure to maintain such records results in a much higher risk of attracting a hefty monetary fine.
- Transfers of data outside the EEA
Under GDPR it is essential to ensure that any transfer of personal data by a data controller to a country outside the EEA is carried out in compliance with GDPR requirements. Either the country needs to be on the safe country list (Argentina, Canada, Guernsey, Jersey, Isle of Man, Switzerland, Israel, Faroe Islands, New Zealand, Uruguay), the transferee needs to be signed up to Privacy Shield (US only) or model contractual clauses should be adopted to ensure the person receiving the data deals with the individual’s personal data in a GDPR-compliant way.
- Appointment of a Data Protection Officer
Most organisations that process personal data will need to appoint a Data Protection Officer. This person ideally should be an employee and be given appropriate resources to fulfil their role.
- Increased Penalties
Potential fines will be increasing to up to 4% of annual global turnover or €20 Million (whichever is greater). Fines will be imposed where there is a serious contravention of one of the data protection principles which is likely to cause substantial damage or substantial distress, and be the result of reckless or deliberate behaviour. If an organisation can show that reasonable steps have been taken to avoid a breach of the principles then the risk of a penalty is greatly reduced.
What are reasonable steps?
- Audit and governance of data protection within the organisation;
- Implementation of the ICO’s guidance;
- Appropriate policies and procedures in place;
- Training of staff.
To become GDPR compliant, it is important that management within your organisation understand the main issues and risks involved with the changes that GDPR is bringing. As a starting position, an inventory of data processing activities should be drawn up and any shortcomings and weaknesses in data processing operations should be identified. Then you can put in place or update privacy policies and internal data protection policies and procedures. Next, any third-party data-processing contracts should be reviewed and updated. Then, consent procedures and policies should be reviewed and updated, especially those dealing with marketing. Finally, the appointment of a Data Protection Officer should be considered.
How can we help you?
We can help you get ready for GDPR by assessing your current practices for data protection and then advising you on what steps you need to take to become compliant. This includes the following services: –
- Completing a data mapping exercise – to determine your data flows, use of personal data, and what measures you currently have in place to comply with the legislation. This exercise will highlight areas that are non-compliant and what policies and documents are required to ensure compliance.
- Advice on completing your ICO notification form.
- Assistance with implementing or amending marketing and other consents from customers/ suppliers, etc.
- Reviewing Data Protection policies for the organisation (including the new stricter controls on erasure of information) and policies for Staff Handbooks/clauses for employment contracts).
- Provision of standard data protection clauses for supplier contracts and model clauses for international transfers of data.
Our data protection specialist solicitors are able to advise in either of our Wimbledon or Epsom offices