The General Data Protection Regulation - how you can prepare for GDPR
Publication of the General Data Protection Regulation (GDPR) heralded the biggest shake-up of European data protection law in over 20 years. In this section our Information Law experts discuss areas including:
Download our detailed guide featuring further information including more about how GDPR differs from the Data Protection Act 1998.
A new General Data Protection Regulation was published in the Official Journal on 4 May 2016. As it is a Regulation (as distinct from a Directive), it is directly binding on Member States without any requirement for implementation into national law. It entered into force in all EU Member States on 24 May 2016 and shall apply from 25 May 2018.
It introduces a new sanctions regime and new requirements that will increase the regulatory burden on controllers and processors. The GDPR accompanies its cousin in law enforcement data protection matters, the Police and Criminal Justice Data Protection Directive.
The European Commission claims that the reform will boost legal certainty for businesses, with a single set of rules across the EU and a "one-stop-shop" approach to regulation meaning that companies will only have to deal with one single supervisory authority ("SA").
However, while the GDPR is designed to enhance individuals' data protection rights, the necessary corollary of stronger rights for data subjects is more onerous obligations for controllers, and, for the first time, processors.
How you can prepare
- Put together your GDPR implementation task force.
- Start the process, where applicable, of appointing your DPO.
- Review IT systems and internal processes to ensure that an individual's data can be captured both for the purpose of data portability (ie passing a copy to the data subject or another controller), but also to enable such data to be deleted easily.
- Conduct an audit of what personal data your organisation holds, how it is being used, to whom it is being disclosed and to where it is being transferred.
- Review and update customer privacy notices to reflect the new transparency requirements of the GDPR.
- Start reviewing data protection clauses used (both for templates and live negotiations) in supplier agreements to include the mandatory provisions and an appropriate change of law clause.
- Develop a template DPIA assessment to be used in any upcoming high risk projects.
- Suppliers performing the processor role will need to review the scope of their obligations and their liability/ indemnity provisions, given their new exposure under the GDPR.
- Review existing processes and procedures for subject access requests, including the development of template response forms and assessing whether the one-month response deadline could be met.
- Review breach notification and management systems and procedures, including draft notification forms for both notifications to the SA and affected individuals (or controllers as applicable).
- Start putting together training materials to raise staff awareness of the new rules under the GDPR.
Implications of Brexit
The UK vote to leave the European Union has created uncertainty about how the GDPR will apply to the UK in the future. However, as the UK Government submitted a formal notice of an intention to leave the European Union (under Article 50 of the Lisbon Treaty) only at the end of March 2017, the conclusion of negotiations for that exit will almost certainly occur after the GDPR application date of 25 May 2018.
This means that GDPR will have some direct application to the UK for a period of time while the arrangements for leaving the European Union are finalised.
The ICO has also indicated that, in order to participate in the Single Market and data transfers from the European Economic Area, the UK will need to adopt data protection standards that are essentially equivalent to those in the GDPR in order to justify an adequacy decision; therefore, notwithstanding the Referendum result, we do expect some degree of reform to UK data protection law.
Further, UK-based organisations that offer goods or services to EU-resident individuals or monitor their behavior, or whose personal data processing activities are related to such offering/ monitoring, will in any event be directly subject to the GDPR regardless of whether it is in force in the UK.
Key changes proposed in the GDPR
- Administrative fines up to a maximum of €20 million or 4% of a business's worldwide annual turnover: The GDPR introduces a new regime of administrative sanctions in two tiers. The lower tier is the greater of €10 million or 2% of a business's worldwide annual turnover of the preceding financial year and the higher tier is the greater of €20 million or 4% of a business's worldwide annual turnover of the preceding financial year.
- Mandatory breach notification 72 hours (where feasible) and notification to affected individuals: Controllers will have to notify the SA of a security incident (unless it is a low risk incident or one not involving personal data) within 72 hours of becoming aware of it "where feasible". Individuals will need to be notified where the occurrence of the incident could cause them serious harm. A processor has to notify its controller "without undue delay".
- Statutory liability for processors: Processors will have a statutory obligation to implement appropriate security measures when processing personal data on behalf of a controller, as well as to follow the instructions of the controller and ensure the reliability of its staff involved in processing the personal data. In addition, they have an express obligation to notify the controller of security incidents. Processors may also be exposed to claims for financial damage or distress by individuals affected by the security incident, who may choose to sue whomever in the supply-chain is perceived to have the deepest pockets.
- Minimum mandatory contractual provisions in data processing clauses/ contracts: The GDPR requires that prescriptive obligations are included in data processing clauses/ agreements, including flow-down of those obligations to sub-contractors, to which some service providers (eg cloud service providers) may have difficulty agreeing.
- Territorial scope: Non-EU controllers and processors will be caught where the processing activities are related to the offering of goods or services to data subjects in the EU, or the monitoring of their behaviour.
- Tighter rules on international transfers: Restrictions on transferring personal data outside the EEA (eg to data centres or accessing remotely from outside EEA) will generally be tightened up, noting that the higher tier of fine applies to breaches of the data export rules. Under the GDPR, the current safeguards (namely existing model clauses and binding corporate rules) remain available, but self-assessment of adequacy will no longer be a route to compliance.
- Expanded definition of personal data: 'Personal data' has been broadened to cover any information related to identified or identifiable living individuals, and there are specific definitions for genetic data and biometric data. The GDPR also introduces a definition for 'anonymous information' and the concept of 'pseudonymisation' (ie data that can no longer be attributed to a specific data subject without additional information that is held separately and secured).
- Greater transparency around data processing: More information will have to be provided to individuals about what personal data is being collected, for what purpose, for how long and to whom and to where it is being transferred.
- Accountability measures: There will be stricter rules requiring controllers to put in place (and implement) policies and documented procedures which not only serve to ensure compliance with the GDPR but also to evidence that compliance. Full documentation, records, logging etc. will be important to help avoid or reduce fines, eg proving that proper consents were obtained where necessary. Controllers will also be obliged to implement "data protection by design and default", including security by default.
- Right to be forgotten: Building on the existing right to erasure, whereby individuals can request that a controller deletes personal data that has been or is being processed in contravention of data protection laws, an individual will be able to request that their personal data be deleted and, where the personal data has been made public, that other controllers processing the personal data also erase links to, or copy or replication of, such personal data.
- Data portability: This is a new right which entitles a data subject to obtain from the controller a copy of his data in a structured, commonly used and machine-readable format. The data subject will even be able to request that the personal data is sent directly to another controller, where technically feasible.
- Data protection officers ("DPO"): Public authorities and private companies whose core activities involve large-scale monitoring or large-scale processing of sensitive data or data on criminal convictions must appoint a DPO. Processors for such organisations may also have to appoint DPOs. A DPO must operate independently and must not take instructions from his employer.
- Data protection impact assessments ("DPIA"): Before commencing any processing likely to result in a high risk to individuals, such as profiling activities, controllers will have to carry out a review of that envisaged processing to assess the privacy risks to individuals, and identify measures to address these risks and demonstrate compliance with the GDPR. Where the DPIA indicates that the processing would be high risk, in the absence of measures by the controller to mitigate that risk, the controller will be required to consult with the SA before being able to process that personal data under the GDPR. The SA will be able to suspend or even ban the processing.
Join us on LinkedIn for more insight.