Tick Tock, GDPR is coming...

Details: 

Do you know what the GDPR is? 

Do you know that in less than 12 months it becomes law?

From 25th May 2018 the General Data Protection Regulation (GDPR) will replace the Data Protection Act (DPA). The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

 

So what are the key differences between the GDPR and DPA, I recently listened to lecture about the GDPR by the Information Commissioner's Office (ICO)  and below are my notes about it:

 


The GDPR consists of 99 Articles divided into 11 chapter. The rest of the GDPR is made up of 173 recitals, which supplement and provide context for the articles providing extra information and guidence.

 

General Scope of the GDPR 

  • Applies to Data Controllers and Processors (definitions similar to DPA)
    • Data Controllers: Defines how and why personal data is processed.
    • Data Processors: Acts on behalf of the Data Controller.
  • GDPR brings legal obligation to Data Processors.
    • Processor must maintain records of personal data and processing activities.
    • There is significantly more legal responsibility if Data Processors are responsible for a breach.
    • (Note these greater legal obligations to Processors do not absolve Controllers from their obligations if a processor is involved).
  • GDPR places further obligation on Data Controllers to ensure their contracts and processes comply with GDPR.
  • GDPR is broader in scope of in terms of Data Controllers outside the EU to whom it applies
    • It applies to organisation processing data in the EU.
    • It also applies to organisation outside the EU but who are offering goods and services to those in the EU.

 

Definitions of Personal Data under GDPR

  • Like the DPA the GDPR applies to personal data, but the definition is more detailed
    • Online identifiers, such as IP address can be personal data.
    • The more expansive definition provides for a wide range of personal identifies to constitute personal data, reflection changes in technology and the way organisations collect and use personal data.
  • Some other noticeable differences include definitions of:
    • A manual filing system, which is also broader than the DPA and apply to records filed in chronological order
    • Personal data that has been pseudonymised which can fall in the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
  • Sensitive personal data is referred to in the GDPR as 'Special Categories'. These are broadly the same as those in the DPA, but with minor changes. The Special Categories specifically include:
    • Genetic data and some biometric data, where processed to uniquely identify an individual.
    • Political opinions
    • Trade union membership
    • Sexual life
    • Racial or ethic origin
    • Physical or metal health
    • Religious or Philosophical beliefs 
  • Criminal convictions and/or offences are not categorised as special.

 

The GDPR’s Data Protection Principles

  • This can be found in Article 5. 
  • Broadly the same as DPA but with some additional details at certain points.
  • Personal data must be:
    • Processed lawfully, fairly and transparently
    • Collected for specified, explicit and legitimate purposes
    • Adequate, relevant and limited.
    • Accurate and up to date
    • Permits identification of data subjects.
    • Processed with appropriate security.
  • (Principles relating to individuals rights or intentional transfers are addressed in separate articles).
  • Also in Article 5.2 There is a new accountability principle which requires data controller to show how they compile with the principles.

 

Basis for Processing Data

  • Schedules 2 and 4 of the DPA are now replaced with 'Bases for Processing' which are set out in Article 6 and 9 of the GDPR and broadly equivalent.
  • Important that Data Controllers determine their legal basis for processing personal data and document this.
  • The Bases for Processing are:
    • Consent
    • Processing necessary for the performance of a contract.
    • Processing necessary to protect the vital interests of the data subject.
    • Processing necessary for the performance of a task carried out in the public interest.
    • Processing necessary for the purposes of legitimate interest pursued by the Controller or third party.
  • Article 9 sets out the conditions for processing Special Categories of personal data 
    • In particular it brings in a new bases for processing for reasons of public health.
    • It also raises a distinction between consent and explicit consent.

 

Consent

  • The GDPR has references to consent and explicit consent
  • Both forms of consent have to be:
    • Freely given
    • An unambiguous indication of an individual's wishes
    • Informed
    • Specific
  • Explicit consent additionally must be expressly confirmed in words rather than any other positive action.
  • In short consent must be:
    • Clear and affirmative action 
      • Silence or inactivity can’t be taken as consent.
    • Easy to distinguish 
      • Data controllers must keep a record of consent to ensure it is verifiable.
      • Consent won’t be considered to be freely given if there is an inbalance between the Data Controller and Data Subject, such as an employee employer relationship. 
    • Withdrawable (Right to withdraw)
      • At anytime
      • As easy to withdraw as it was to consent.

 

Profiling 

  • GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspect of an individual.
  • In particular analyse or predict their:
    • Performance at work
    • Economic situation
    • Health
    • Personal preferences
    • Reliability
    • Behaviour
    • Location
    • Movements
  • When processing personal data for profiling purposes you must ensure appropriate safe guards in place, in particular
    • Processing is fair and transparent by providing meaningful information about the logic involved as well and significance's and envisaged consequences.
    • Appropriate mathematical and statistical procedures for the profiling to enable inaccuracies to be corrected and minimise the risk of errors.
    • Secure person data in a way that is proportional to the rights of the interest and rights of the individual and prevents discriminator affects.

 

Individuals rights

  • There are 8 rights in the GDPR
  • The right to:
    • Be Informed
      • Consistent with the Fair Processing Obligation within the DPA, although GPDR more explicit on how this should be presented.
      • It should be
        • Concise 
        • Transparent
        • Intelligible  
        • Easily accessible form
        • In clear and plain language
      • You must be clear, upfront and it must be written in a way that is easy to read and comprehend.
        • There are some special instruction to information aimed at children. 
        • Other fair processing information that is required include:
          • Information on retention periods
          • Information on the right to withdraw consent
          • Existence of automated decisions.
          • Name of your Data Protection Officer.
          • Any safe guards applied to international transfer of data.
      • Erasure
        • Data Subject has right to have data deleted where there is no compelling reason for processing it.
          • Where the Data Subject Withdraws consent
          • Data no longer necessary for the purpose it was collected 
          • Needs to be erased to comply with a legal obligation.
          • Where it is data processed in relation to the offer of information services to a child.
        • If you do erase you will need to inform any other organisation you have disclosed the data too, unless this would involve disproportionate effort.
          • You can refused to erase data in some instances, i.e.
          • Where the information concerns the right to freedom of expression and information 
          • Exercise of defenses or legal claims
      • Automated Processing
      • Object
      • Rectification
      • Data Portability
        • This is a new right.
        • Data subjects are able to easily move their data between data controllers safely and securely.
          • Can obtain and reuse their data for their own purposes.
          • information should be provided in a commonly used form.
          • Ask data to be transferred between Data Controllers where this is technical possible. (limited right).
          • This must be provided free of charge
          • Data Controller must respond within a month (or two months for complex or numerous requests).
          • Provide information in a structures and commonly used machine readable form
      • Restrict Processing
      • Subject Access Request
        • Similar to DPA, but data subject has the right to addition information along with the data itself.
        • Right to know 
          • of existence of any automated decisions 
          • any safe guards to have applied to international transferees 
          • Reduced timescales for response, You must respond without delay within 1 month
          • Must provide information free of charge
          • No longer able to refuse a request that requires disproportionate effort.
          • You must inform the subject the right to complain to a supervising authority (ICO)
          • The right to seek judicial remedy if you are refusing the request.

 

Responsibilities of Data Controllers

  • Accountability and Governance
    • “The Data Controller shall be responsible for, and be able to demonstrate compliance with principles” GDPR Article 5 (2) ( Data Controllers cannot just say you are compliant you must be able to provide evidence of it).
    • Evidence should be made up of:
      • Technical and Organisation measures
        • Internal policies, reviews and audits
          • Records that should be kept should include:
            • Categories of the recipients of personal data
            • Purposes of processing
            • Retention schedules 
            • transfers to a 3rd country
          • The extent that a Data Controller has to comply with these obligations  depends on the number of staff employed, if it is special categories of data, data on conventions and offence or a result in risk to the right/freedom of individuals.
      • Data Protection Impact Assessments
        • Designed with the aim to identify the best way Data Controllers to comply with their obligations.
        • When does a Data Controller use?
          • When processing of data involves new technologies and processing is likely to result in a high risk to the rights and freedom of individuals 
      • Data Protection Officers
        • You will need to appoint a DPO if
          • Public Authority (except court)
          • If your data processing involves systematic monitoring of data subject on a large scale
          • If there is large scale processing of special categories of data 
          • A single DPO can be appointed to cover multiple organisations or public authorities, taking into account structure & size. 
          • Data Processes will be under the same obligations as Data Controllers with regards to DPOs
          • DPO Job Description
            • Inform and Advise the organisation about it’s obligations to comply with the GDPR
            • Monitor compliance with the GDPR including managing internal data protection activities.
            • Be the first point of contact for supervisory authorities and data subjects
            • Provide training to staff, advise on data protection impact assessments and conduct internal audits.
            • Must report to highest management level
      • Breach Notification
        • Data Controller must notify supervisory authorities of any data protection preach that is likely to result in a risk to the rights and freedoms of individuals.
        • Data Controller to assess on a case by case bases
        • Data Controller must also notify data subjects
        • 72 Hours Breach Notification (information can be provided in phases)
          • If Data Processor suffers a breach, it must notify Data Controller without delay.
      • Article 32 Security of Processing (More explicit about organisations responsibilities than Principle 7 of Data Protection Act)
        • DC & DP must take technical and organisational measures to ensure a level of security appropriate to the risk.
        • The measures taken to safe guard personal data should include:
          • Encryption and pseudonymisation 
          • Restoring availability and access in the event of an incident
          • System confidentiality 
          • Integrity, availability and resilience
          • Testing as well as assessing and evaluating security measures
          • When assessing what is an appropriate level of security. An organisation should pay particular attention to:
            • The risk of loss
            • Alternation
            • Accidental or unlawful destruction
            • Unauthorized disclosure
      • Administrative fines
        • Where fines are imposed, they must be effective, proportionate and dissuasive
        • 1st Tier: €10 million and 2% turnover
          • Failure to meet organisational obligations such infringements around the obligation to appoint a Data Protection Officer or to maintain written records
        • 2nd Tier: €20 million and 4% turnover
          • Relate to infringements such as consent, lawful processing, international transfer, processing of special categories of data and data subjects rights
          • Factors to be considered:
            • Number of people involved
            • The damage to the data subjects
            • Negligence or intent 
            • Action taken by the Data Controller to mitigate the damage
          • The Data Processors will have there own statutory obligations they can be held directly liable for failure to comply with them. Meaning they can also be subject to sanctions from the supervisory authority as well as including administrative fines.

 

Related Links