Wonderful service from start to finish.
Preparing for replacement of the Data Protection Act by the General Data Protection Regulation.
GDPR was adopted by the European Parliament on 25th May 2016 and comes into effect on 25th May 2018. Geoffrey Sturgess explains what this means for businesses and what action you need to be taking.
The Secretary of State Karen Bradley MP confirmed to the Culture, Media and Sports Select Committee on 24 October 2016 that the UK will be implementing the General Data Protection Regulation (GDPR) in May 2018. However, it remains unclear what amendments may be made to data protection laws once the UK has left the EU. The best advice for businesses is to get ready for compliance with the GDPR until, as the Secretary of State said, the government looks "later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public".
UK Data Protection Rules
It seems unlikely that UK data protection rules will deviate significantly from the GDPR—as otherwise doing business with EU countries will be unnecessarily difficult.
The UK Information Commissioner’s Office (ICO) has produced useful guidance. It was produced before the GDPR was adopted but remains relevant. The ICO has also created a webpage dedicated to EU data protection reform linking to the new GDPR guidance and other relevant sites.
The Information Commissioner has called for organisations to begin preparing for the incoming GDPR and has provided a 12-step guide for this purpose.
Amendments to Data Protection Act
Compliance with the existing Data Protection Act (DPA) will meet the new regime's requirements in many respects and according to the ICO, is a "strong starting point to build from". However, new elements and enhancements will arise. The ICO flags the increase in potential fines to which organisations may be subject for GDPR breaches.
The guide suggests that organisations start planning their approach to GDPR compliance and gain support from key staff, particularly as in larger organisations changes may have implications for budget, IT, personnel, governance and communications.
The ICO highlights the GDPR emphasis on documentation in the light of its accountability requirements. Reviewing how data protection fits in to an organisation's governance approach is likely to be required and contracts and other data sharing arrangements may need to be reviewed. Focussing on the aspects of the GDPR which are likely to have the greatest impact on an organisation's business model is advised.
Information Commissioner 12-step GDPR guide
Key points from the guidance are summarised below.
Ensure key decision-makers are aware of:
- The law changing to the GDPR.
- Likely impact, particularly in areas likely to cause compliance problems.
- Resource implications for achieving compliance.
2. Information audit
Organisations are advised to document the following:
- Personal data held (across the organisation and within particular departments).
- Where the data originated from.
- With whom the data is shared.
3. Communicate private information
Organisations should review privacy notices in light of anticipated GDPR changes. Changes include the requirement to explain in a short, simple and clear manner the following:
- The legal basis for processing data.
- Data retention periods.
- The right to complain to the ICO
4. Individuals' rights
Procedures should be checked to ensure they cover how to properly manage a request from an individual seeking to exercise their GDPR rights. These rights are mainly the same as those under the DPA but additional GPDR rights arise around preventing profiling and a new right to data portability.
5. Subject access requests
Organisations should update policies and procedures to handle new GDPR features in relation to subject access requests:
- A new one month time limit to respond (rather than 40 calendar days).
- Providing data subjects with extra information, such as on data retention periods and on their right to have inaccurate data corrected.
- Manifestly unfounded or excessive requests may be charged for or refused, so clear policies to justify such decisions should be created.
The ICO recommends conducting a cost-benefit analysis for providing data subjects with online access to their information.
6. Legal basis for processing personal data
The guidance suggests that organisations should:
- Examine the types of data processing the organisation carries out.
- Document the legal basis for carrying out each type of processing (broadly the same as those in the DPA), which will also assist with meeting GDPR accountability requirements.
- Set out the legal basis for processing in privacy notices and when responding to subject access requests.
The guidance points out that individuals will have a stronger right to have their data deleted where consent is the legal basis for processing.
The GDPR contains additional measures around consent. "Consent" or "explicit consent" must be freely given, specific, informed and unambiguous. Consent must also be a positive indication of agreement to data processing - it cannot be inferred from silence, pre-ticked boxes or inactivity. It must be verifiable. Therefore, the ICO recommend that organisations do the following:
- Review how consent is sought, obtained and recorded.
- Consider whether alterations or alternatives to consent mechanisms are necessary to meet the GDPR requirements and to provide an audit trail for demonstrating consent.
- Provides special protection for children's personal data, especially in the context of commercial internet services, such as social networking.
- Allows each member state to determine what they consider the age of the child to be (between 13 and 16).
The ICO indicates that the UK is likely to legislate to provide for anyone under 13 to be a child. It recommends that:
- Organisations should consider systems to use for verifying individuals' ages and to obtain parental or guardian consent, which the GDPR will require for lawfully processing a child's data.
- Organisations which aim their services at children should also note that privacy notices must be written in language that children will understand.
9. Data breaches
The GDPR will introduce a general duty to notify the ICO (and possibly other bodies) of certain types of breaches (generally breaches where individuals are likely to suffer damage as a result, such as through identity theft or breach of confidentiality). This differs from the current regime where only certain types of organisations must report breaches by law.
The guidance suggests the following:
- Ensure procedures are in place to detect, report and investigate a personal data breach.
- Document the types of personal data held which would fall within a notification requirement.
10. Data Protection by design and Data protection impact assessments
In light of GDPR changes in this area, the guidance suggests that organisations do the following:
- Adopt a privacy by design and data minimisation approach to all activities involving data processing, as this will be compulsory under the GDPR.
- Become familiar with the ICO's guidance on Privacy Impact Assessments (PIAs).
- Assess situations where it will be necessary to conduct a PIA (that is, where data processing is high risk, for example, where a new technology is being used or where profiling will significantly affect individuals).
- Determine who will conduct it, who needs to be involved and whether it should be run centrally or locally.
Consultation with the ICO will be required under the GDPR where a PIA indicates high risk data processing.
11. Data Protection Officers
Under the GDPR, a new obligation arises to appoint a Data Protection Officer (DPO) in certain cases (for public authorities or organisations whose activities involve regular and systematic monitoring of data subjects on a large scale) . Organisations are advised to:
- Designate a DPO, if required. Otherwise, assign responsibility for data protection compliance to a particular person or role (internal or external).
- Ensure the DPO or person responsible is appropriately qualified, effectively supported and has appropriate authority within the organisation.
- Decide where the DPO or person responsible will fit within the organisation's governance structure.
A new GDPR one stop shop system will change the way complaints involving processing across multiple member states are assigned amongst data protection supervisory authorities. An organisation should therefore:
- Determine which data protection supervisory authority applies to it, if it operates internationally. This will depend on where its "main establishment" is, that is, where its main administration is located or where decisions about its data processing are made.
- Map where the most significant decisions about data processing take place, if the main establishment location is not clear cut.
If you have any questions about GDPR you can contact Geoffrey on 02380 717717 or email firstname.lastname@example.org.
Source: ICO blog posts: A data dozen to prepare for reform; "20 million reasons for organisations to get EU data reforms right"; and ICO guidance: Preparing for the General Data Protection Regulation, 14 March 2016. Practical Law Company.
This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice. All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.