Data Protection – Everything You Need to Know But Were Afraid to Ask – Part 2
‘It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public.’- Prof Clay Shirky, NYU.
In Part 1, I outlined how the protection of personal data has become a critical risk area for business, not-for-profits and charities as the regulator, the Information Commissioner’s Office (ICO), takes a tougher stance on enforcement of the rules. A series of high profile incidents have heightened public concern about privacy and the misuse of personal data. Now organisations will need to prepare for even more stringent rules: in spite of Brexit, the new EU-wide General Data Protection Regulation (GDPR) will still come into force on 25 May 2018. In Part 2, I explain what will change when the GDPR comes into force from 25 May 2018.
What will change under the GDPR in 2018?
The GDPR will introduce a series of explicit rights for individuals in respect of their personal data, some of which are new, and some are enhancements of the existing position:
- Right to access data (to be told whether personal data are being processed and access a copy)
- Right to erasure (if consent is withdrawn, or there is no legal basis for holding the data individuals may request erasure)
- Right to portability (the right to require data to be transferred to another data controller in a machine readable format)
- Right to rectification – an individual’s right to have inaccuracies corrected or include a supplementary statement
- Right to restrict processing – data to be held in limbo while any disputes are resolved
- Right to be informed – i.e. to be told what information is being processed and for what purpose
- Right to object – the right to stop personal data being processed by withdrawing consent or some other legal basis.
The key changes
- The definition of ‘personal data’ will be widened to include IP addresses, genetic and biometric data.
- Organisations will need to keep proper records of their data processing activities and make these available to the regulator if requested.
- Data processors (as well as data controllers) have direct obligations for the first time. These include an obligation to: maintain a written record of processing activities carried out on behalf of each controller; designate a Data Protection Officer where required; appoint a representative (when not established in the EU) in certain circumstances; and notify the controller without undue delay on becoming aware of a data breach. How data protection matters are addressed in supply and other commercial agreements will need to be reviewed – especially the allocation of liability for data breaches.
- The £10 fee for accessing records will be abolished and the time limit for dealing with a request to access or correct a record will be shortened from 40 days to 1 month. Extensions of up to 2 months may be allowed if the request is complex. Requests may be refused if they are ‘manifestly unfounded or excessive’
- The right to request erasure of data has been strengthened. Under current rules the erasure can be requested if processing it causes unwarranted and substantial damage or distress. There will be specific circumstances where erasure can be requested e.g. the individual withdraws consent to processing, or the data was unlawfully processed in the first place. There will be very limited grounds to refuse to erase, e.g. to comply with a legal obligation in performing a public interest task or for public health purposes.
- New right to ‘data portability’ – individuals will be allowed to obtain and re-use their personal data for their own purposes across different services (e.g. for use on a price comparison site). Organisations must provide the data free of charge in a machine readable format e.g. a .csv file within 1 month of a request.
- There will be significantly harsher penalties for data breaches – the current limit of £500,000 will increase to 20 million euros or 4% of an organisation’s global turnover, whichever is greater
- An explicit right for individuals affected by a breach of the rules by a data controller or a data processor to bring a claim for compensation which need not be for financial loss, it could cover personal distress and anxiety.
- Special rules will apply to children’s personal data – privacy notices must be child-friendly. Before offering online services to children under 16 (most likely set at under 13 in the UK), parent or guardian’s permission will be required (except for online counselling and preventative services). (Note this does not affect the existing law for offline transactions where the capacity of the child may be relevant).
- New privacy notices will be required which provide information about retention periods for data, the rights of the data subject, the right to withdraw consent, the right to complain to the ICO, whether it is a statutory or contractual requirement to provide the data, and whether any of the data will be used for automated decision-making about the individual.
- There are potentially onerous new obligations on accountability and information governance. There is an explicit duty to put in place appropriate organisational measures to demonstrate compliance with the rules, which could include data protection policies, staff training, internal audits of data held and processing activities, privacy impact assessments when implementing new technologies or activities, reviews of internal HR policies and regular reviews of security arrangements. If your organisation has more than 250 employees there will be a more onerous duty to maintain records of processing activities. These records may be called for by the ICO as part of an investigation and may form an important part of your defence to any enforcement action.
- Mandatory duty to appoint a Data Protection Officer for public authorities or organisations which undertake large scale monitoring of individuals or large scale processing of ‘sensitive personal data’. Note it is the scale of the processing, not the size of the organisation that matters. The DPO’s role is to (a) inform and advise the organisation and its employees about their data protection obligations, monitor compliance with data protection laws, conduct internal audits, train staff and coordinate data protection activities, be the first point of contact with ICO and supervisory bodies, as well as customers and suppliers whose data is being processed. The DPO is expected to report directly to the Board and must be given adequate resources and authority to perform their role. The role does not necessarily have to be an employee- it can be contracted out.
- Duty to report data breaches to the ICO where it is likely to result in a risk to the rights and freedoms of individual affected; also a duty to notify the individuals affected if there is a high risk to their rights and freedoms. Notification must be made within 72 hours. The notification must detail the number of individuals and records involved, a description of the likely consequences of the data breach and the measures to be taken to (a) deal with the breach and (b) mitigate possible adverse effects. Failing to notify a breach can result in a fine of up to 10 million euros or 2% of the organisation’s global turnover!
What do we need to do to prepare for GDPR?
- Ensure Board members and management are aware of the new duties and are taking active steps to prepare, including securing resources and budgets required.
- Designate a Data Protection Officer to take responsibility for compliance and decide where this role will sit within your organisation’s overall governance structure.
- Review all policies and procedures which are relevant to data protection and privacy.
- Conduct information audit and privacy impact assessments – understand what personal data your organisation holds, where it comes from and with whom you share it; identify the legal basis for processing the information, document your findings. Is there a clear audit trail showing how and when individuals gave their consent to processing of their personal data and opted into marketing communications?
- Review your privacy notices- see examples of good practice here
- Take extra care if you are collecting information about children – bear in mind the new requirement to obtain parent or guardian’s consent to processing data about children in most cases.
- Prepare to deal with subject access requests within the shorter time period of 1 month
- When contracting out work to third parties (e.g. payroll providers, HR consultants, fulfilment houses)- check what measures they have in place to ensure compliance with the new duties – are they signed up to any certification schemes or codes of conduct? Ensure you have appropriate contractual clauses in place to protect your organisation against their failures.
- Have robust procedures for detecting and investigating data breaches and internal reporting so that notification can be made to the authorities within the 72 hour period.
- Review insurance covers to determine what risks or incidents are covered or excluded.
The new GDPR represents a step-change in the level of risk for organisations collecting, holding and processing personal data. It will be essential to begin preparations now, identifying resources, reviewing current procedures and policies in readiness. Elderflower Legal offers specialist legal, governance and company secretarial services to help keep your organisation compliant elderflowerlegal.co.uk.