GDPR is here - are you compliant yet?
This article is directed particularly to those “fortunate” individuals responsible for GDPR compliance in their organisations. It is anticipated that in answer to the question are you fully compliant, many would answer no—in common with most UK businesses.
There is a very good reason for that—there is still much debate about what the General Data Protection Regulation (“GDPR”) means and, unfortunately, however many times you read it, its meaning will not become clear.
Comfort should be taken from the opening words of Elizabeth Denham, the Information Commissioner, at the ICO’s recent Annual Data Practitioners’ Conference—“The 25th of May is not a deadline. It is a beginning.”
First let us dispel some myths:
The Information Commissioner’s Office (“ICO”), the body charged with enforcing GDPR in the UK will be fining those who are not fully compliant. They say that is not their role, which is to assist compliance rather than punish. In 2016/17 the ICO issued fines in 0.1% of cases they investigated under the Data Protection Act 1998(“DPA ‘98”). Those will have been the most egregious cases.
The new Data Protection Act 2018 (“DPA ‘18”) enacted GDPR into UK law. It did not. GDPR was already part of UK law and became effective on 25th May without any assistance from the UK Parliament. DPA ‘18 amends some of the provisions of GDPR where permitted by GDPR and otherwise excuses the UK Government and organs of the State from complying with what they regard as inconvenient provisions of GDPR.
Following Brexit GDPR will cease to have effect in the UK. It will not; the UK Government has announced that GDPR will continue to be part of UK law following Brexit.
Under GDPR, businesses will need consent from data subjects before processing their data. Not true. In fact the contrary applies. Because consent under GDPR, once given, can always be withdrawn, businesses should endeavour to use consent as a ground for processing as little as possible. It is likely, in most cases, only to be necessary for those wishing to direct marketing at consumers or sole traders and even they may be able to use “legitimate interest” rather than consent as their legal justification. There is also the PECR “soft opt-in” deemed received from those who have bought or discussed buying similar goods and services from you previously, of which more below.
There are software products out there that will enable you to be GDPR compliant. We don’t think so. Beware GDPR consultants bearing software. They probably know more about software than about GDPR.
If someone else processes data that I provide to them in my role as the Data Controller they are a Data Processor and have to sign a data processor contract. Makes sense but is entirely wrong. A Data Processor is someone who processes such data for a Data Controller under an arrangement where they should only process it as specified and not use any discretion. An accountancy or law firm is not a Data Processor of its client’s data (perhaps details of owners, directors or employees) provided to it in connection with its professional services because it uses its discretion when using that data to provide an outcome for the client. A data host is very likely to be a Data Processor.
GDPR was published just under two years ago. Why do we not yet understand what it means?
It is an EU “Regulation” (Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) and has direct effect, as written, in all the member states. It is not a “Directive” which directs member states to enact domestic legislation giving effect to the Directive. DPA 98 was enacted by the UK Parliament in response to Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
As a European regulation, it has to be interpreted in a way that is alien to UK professionals. Unlike UK legislation which should be interpreted literally, except where no meaning is discernable, when one can look to the intention of Parliament, a European regulation, like mainland European contracts, has to be interpreted in the light of the legislators’ (or parties’) presumed intentions and despite the plain meaning of the words. The legislators are presumed not to have intended any disproportionate effect. This is called purposive and proportionate interpretation.
Those intentions can be discerned in part from the recitals to GDPR of which there are many. They can also be determined from “Guidance” issued by various bodies: the ICO, other enforcement authorities across Europe and the European Data Protection Board (“EDPA”) (Previously the Article 29 Working Party (“WP29”)), a consultative organisation made up of representatives from all the enforcement authorities including the ICO. Then to fully understand the effect of GDPR in the UK it is also necessary to read DPA’18 and its intended amendments to GDPR.
Were one to print GDPR, DPA’18, and all the guidance from the ICO and WP29 the pile of paper would be perhaps a half a metre high. Then there is The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) and the proposed EU Regulation on Privacy and Electronic Communications which is intended to replace PECR. Both occupy similar ground to GDPR in that they proscribe electronic communications (email, telephone, SMS, fax) with individuals without consent, something that is also dealt with, but of course differently, by GDPR. The replacement of PECR with the new regulation (also an EU regulation with direct effect so needing purposive and proportionate interpretation) was intended for 25th May this year. It now seems unlikely to happen until next year.
It is hoped that the reader is now feeling much better—compliance is impossible as we don’t fully understand what it means. That is, however, no excuse for doing nothing. Should an organisation come to the attention of the ICO they will look more kindly on one that has tried to comply.
How is GDPR different from DPA’98
DPA’98 was a UK Act of Parliament and so could be construed literally—unlike GDPR.
DPA’98 had to be obeyed—it was the law. GDPR has also to be obeyed, but now it is necessary to justify and document your compliance in a so called “Record” (Art 30). This requires analysis of your processing activities, the legal basis on which you justify the processing, for how long you will process the data (and bear in mind that “data” includes an email address and “processing” includes merely storing it—think of the content of your Outlook inbox), what you use it for, who you share it with and the “organisational and technical measures” that you employ to keep the data secure.
Under DPA there was a requirement in contracts with Data Processors (see above in “Myths”) for the processor to agree to use appropriate organisational and technical measures. Under GDPR the contract needs to detail those measures. How do you do that, for your Record or a Data Processor contract? Let us start with the type of lock on the front door and the security measures in place when the office is unoccupied, move through the technical measures employed to prevent unauthorised people (staff and outsiders) from accessing the data and perhaps end with the encryption that is applied to communications or devices used away from the office. A statement of technical and organisational measures is likely to run to several pages.
Under DPA you would have used a privacy statement, probably on your website, explaining in general terms what you did with personal data. GDPR requires you to “provide” data subjects with detailed and quite specific information about what you are doing with their data (Arts 13 and 14). Usefully the ICO says that people using the internet or email, or accessing the internet, on behalf of their employer are so-called “corporate subscribers” and do not need to be provided with notices as they are aware that those with whom they come into contact will have a privacy notice and are smart enough to find it if they want to see it.
If you are using consent as the legal basis for any processing then the consent required is stronger than under DPA. Under GDPR consent means freely given, specific, informed and unambiguous consent, given by a statement or a clear affirmative action—so tick box if you agree is OK. Untick box if you don’t agree is not OK. (Art 4.11). It is also necessary to keep a record of all consents given (Art 7.1).
Under GDPR there is an obligation to notify the ICO within 72 hours of any “data breach” unless it is “unlikely to result in a risk to the rights and freedoms of natural person”. The data subjects affected must also be notified if the breach “is likely to result in a high risk to the rights and freedoms of natural persons”. Unsurprisingly we have no guidance on what constitutes a risk, or a high risk. A single email going to the wrong recipient could qualify as either. A TalkTalk loss of data will undoubtedly be high risk. Whatever you do you should document your decision making process in relation to each breach.
Legitimate interest seems to be the new “consent” (everyone’s favourite legal justification for processing) but it involves carrying out and documenting a balancing exercise and concluding that your interest in marketing (or other processing) is not outweighed by the data subject’s expectation of privacy; for marketing, probably concluding that they would want and expect the communication.
Just before the 25th May the ICO issued guidance on marketing. They say that consent is not necessary to send marketing communications to individual corporate subscribers provided that the communications are related to their businesses and they have not previously opted-out--legitimate interest will do. If you purchase a mailing list, even an “opted-in” list, you will need to send an Art 14 notice to everyone on that list.
Consent to marketing communications (or the soft opt-in) is almost always necessary if the intended recipient is an “individual” as establishing a “legitimate interest” will be harder. An individual seems to mean a consumer, someone working in a partnership or a sole trader. Sole trader probably does not mean sole trader but rather a self-employed individual who works entirely alone—the plumber, a “self-employed” IT worker, a fashion model. Partnership probably doesn’t mean a partnership business with many employees.
You need to know what “direct marketing” means. There is no precise definition and what there is appears in PECR. In our view it means the sending of a single communication to multiple recipients with a view to increasing your business, rather than a unique communication to one recipient.
GDPR requires certain organisations to appoint a Data Protection Officer (“DPO”). Those are organisations:
The core activities of which require “regular and systematic monitoring of data subjects on a large scale”. NB “monitoring” not “processing” but the distinction is not clear; or
Are processing on a large scale special categories of data (used to be called Sensitive Personal Data) or personal data relating to criminal convictions.
According to the ICO a DPO needs to have a “broad and deep understanding of GDPR”. Their role will be to ensure that the organisation complies with GDPR, to be the “go to” person when it contemplates any changes in how it deals with personal data and the person who sets up the procedures for, and deals with any Data Subject Access Requests or other exercises by data subjects of their rights and data breaches. The DPO need not be an employee and could be someone who acts as DPO for a number of organisations.
Because of the complexity of the rules and their interpretation it is probably a good idea to have a DPO, even if not strictly required. Potential DPOs will be relieved to know that they have no personal liability.
So what should you be doing as a GDPR late starter?
First analyse what you are doing with personal data (anything relating to an identifiable living individual), how you come by it, who you share it with, how long you keep it and how you keep it secure. Put this information into a “map”. We use Excel spreadsheets.
Armed with your map or maps decide the lawful basis on which your processing is done—consent, legitimate, necessary to prepare for or fulfil a contract with the data subject, necessary to comply with the law, or necessary to protect the vital interests of the data subject or another. If you cannot find a justification, stop that form of processing.
Then decide if anyone with whom you “share” personal data is either a Data Processor, or, with you, a joint controller of it. In the first case ensure that a compliant Processor Contract is in place (Art 28 (3); in the second case ensure that you have documented “arrangements” (Art 26) so you are both clear which of you would deal with any data subject rights issues—a subject access request, sending Art 13 or 14 notices (they can be “provided” by one of you on behalf of both), requests to delete or correct data, reporting data breaches and so on.
Establish whether you export any personal data to outside the EEA. If the country concerned is not on the EU’s approved list (Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay) or if in the US, the organisation concerned is not part of their “Privacy Shield” fudge (you can check that on-line), you will have to jump through several further hoops to make the transfer lawful (Art 44).
In this connection, if your data is hosted in the “cloud” (so your host moves it from location to location, wherever it can be hosted least expensively) you will need to establish not only that their Processor Contract with you is compliant but also that they agree that it will only be hosted within the EEA. Not all cloud hosts understand that. Strictly you also need to see the contracts between your host and its sub-hosts. Proportionality may make that unnecessary.
Next decide what Art 13 or 14 notices you will need to provide and, if consent is the basis on which you will do any of your processing, create a new consent form/mechanism and a system to record all consents obtained and show you any that have been withdrawn.
Then create your “record” documenting everything that you have done above and the reasons for any decisions you have made on, for example proportionality or legitimate interest. WP29 produced lengthy guidelines on legitimate interest.
Art 30 says that organisations with less than 250 workers do not need to have a “record” unless (with other exclusions) its processing of personal data is more than occasional. Having regard to the definitions of personal data (would include a single email address) and processing (includes storing or deleting it) it will be seen that any organisation with a computer and an internet connection will be processing personal data more than occasionally; it would be processing it constantly. The Art 30 exemption is thus illusory and we can safely say that would not have been the purpose of the legislators. The ICO has very recently provided guidance on what is not occasional, which is not particularly helpful but makes clear that in their view Art 30 means only that you do not need a record of your occasional processing but will still need to record your regular processing. We expect EDPB to come up with something in due course but for now, unless you bravely use purposive interpretation, there is no effective get-out from having to have a record.
Once you have your record it should be apparent what Art 13/14 notices you need to provide and how they should be brought to people’s attention and you will be able to produce those notices and deploy them.
Finally we recommend appointing a Data Protection Officer, or someone who fulfils that role to keep you on the straight and narrow.
In conclusion, don’t panic if you are not yet entirely compliant with GDPR, but do make sure that you are working towards compliance, and once you have your record (or policy), make sure you comply with it. Nothing looks worse to a regulator than having a policy but ignoring it.
Geoffrey Sturgess © 06.07.2018.
Geoffrey Sturgess is a consultant solicitor with Warner Goodman, Southampton, specialising in technology and data privacy law. He has been lecturing and advising on data privacy issues since 1998. Recently he has been lecturing on GDPR about twice every week. email@example.com
This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.