Click here for PDF
The EU’s General Data Protection Regulation (679/2016/EU), the GDPR, comes into force across the EU on 25 May 2018. As it is being made by Regulation the GDPR, unlike the existing Data Protection Directive (implemented into the UK by the Data Protection Act 1998), will have direct effect throughout the EU. National governments will have some limited scope to tailor certain of its provisions to their jurisdiction. However, the GDPR’s intention is to harmonise the approach taken to data protection across the EU.
Notwithstanding Brexit, the UK government has indicated its intention to implement the GDPR in full. The regulator for data protection in the UK is the Information Commissioner’s Office. Its powers and ability to work seamlessly with other national EU regulators will form a negotiation point in the coming Brexit deal.
The GDPR will apply to any use of personal data arising in connection with either the offering of any goods or services to individuals located in the EU (whether for payment or not), or the monitoring of the behaviour of EU-based individuals. This is a significant change to the scope of previous legislation and has the effect of:
- Focusing the legislation on the individuals whose data is being utilised, as opposed to the organisations utilising the data (i.e., any worldwide business with customers located in the EU will be subject to the GDPR in respect of those customers); an
- Encompassing the tracking of individuals’ EU-based internet activity, whether via a website or app (i.e. any worldwide business which uses tracking cookies or retrieves app usage information in respect of EU-based activity will now be caught).
The location of data processing equipment is no longer a determining factor. Worldwide businesses cannot avoid the application of the GDPR by locating their processing equipment outside the EU.
Some of the key provisions to note in respect of the GDPR include:
Consent – Obtaining consent from individuals for the processing of their data under the GDPR will be significantly harder. Individuals will be required to give their unequivocal affirmative consent. For example website tick-boxes will need to be ‘opt-in’ and must not be opt-out or pre-selected. The business wishing to collect and utilise the data must clearly explain to the data subject the uses to which their personal data is to be put. Businesses will be required to provide evidence that their processes are compliant and followed in each case. Individuals must be able to easily withdraw their consent to the use of their personal data at any time and without suffering any detriment as a result of the request and businesses must have mechanisms in place to easily enable any such withdrawal. Individuals will have a right to be forgotten (i.e., the deletion of their data) and a right to object to profiling (particularly relevant to website advertisers). They will have the right to have their data amended and rectified and the right to be informed as to what personal data is currently being retained and/or used by the business. There are tighter deadlines around responding to Subject Access Requests and fees can no longer be charged for these requests.
At Creation – Businesses will be required to consider data protection issues at the creation of any new technology, product or new business line and to ensure that suitable protection mechanisms are in-built into such developments from their beginning. Businesses must also ensure that they only collect and process the minimum required data for the express uses to which consent has been given.
Data Processors – Unlike previously, data processors will now also be directly subject to the data protection requirements put in place by the GDPR. As a result it is expected that the cost of data processing services provided by outsourced data processors to data controllers is likely to increase as they also tighten up their internal compliance with the GDPR. Data processors will also want to review and potentially renegotiate their processing agreements with their Data Controllers. Data processors employing 250 or more people (and, in some circumstances, any data processors irrespective of their size) will be required to keep detailed records of all of their processing activities.
Data Protection Officer – Processors processing a significant volume of data, or processing ‘sensitive’ data, may be required to appoint a data protection officer (DPO). The DPO will be responsible for monitoring the data processing activities of the business and ensuring their compliance with the GDPR. It is expected that certain businesses may voluntarily appoint a DPO to help demonstrate an adoption of best practice procedures and strengthen any defence to regulatory investigation.
Data Breaches – Data breaches must be notified to the relevant supervisory regulator as soon as possible, and in any event within 72 hours of the breach being identified. The GDPR states that breaches that are unlikely to result in risks to individuals do not require reporting. However, due to the risk posed to an individual, further guidance is currently being sought on this point.
Data Transfers – Transfers of data of any EU-based individuals outside of the EU continues to be regulated by the GDPR. However, the increased sanctions for breaches of the new rules are likely to mean that non-EU businesses will have to carefully review their existing arrangements to ensure they are compliant.
The EU Commission may identify specific jurisdictions which are deemed to have adequate data protection laws in place and to permit data transfers to those jurisdictions. As a result of decisions of the European Court of Justice, the United States is not currently included in this list. The EU and U.S. have negotiated a new data transfer agreement (the Privacy Shield) to replace their previous transfer arrangements. The Privacy Shield enables data transfers to be made to the United States recipients that are subject to regulation by the Federal Trade Commission or Department of Transport and that have self-certified their compliance with the Privacy Shield’s requirements.
Compliance requires, amongst other matters, certifying organisations to adopt privacy policies which address data protection matters in a manner sufficiently compliant with European principles (e.g., as regards information provided to data subjects, data security, dispute resolution and data access). The Privacy Shield is currently subject to various legal challenges from EU-based privacy campaigners, largely stemming from the ability of the U.S. intelligence services to access and utilise transferred data.
Failing this, transfers of personal data may only be made:
- On the basis of a data transfer agreement between the transferor and recipient of the data which incorporates certain prescribed contractual clauses; or
- By a UK company to other members of its group, on the basis of a set of legally-enforceable corporate rules (called Binding Corporate Rules). Binding Corporate Rules must be approved by the Information Commissioner’s Office.
Enforcement and Sanctions
A business subject to the GDPR who has operations, but not separate subsidiaries, in a number of EU jurisdictions will need to identify a main establishment in the EU. The regulatory authority of this jurisdiction will be the ‘lead supervisory authority’ for the business and will be responsible for coordinating with the regulatory authorities in any other relevant EU jurisdictions in relation to those operations. It is hoped that this will cut the administrative burden by enabling businesses to deal with a single regulator covering all of their European activities. Individual subsidiaries will each be subject to the regulatory authority of their jurisdiction of incorporation.
The sanctions for breaches of the GDPR are significantly stronger than is currently the case. Certain breaches will attract fines of up to 2% of the annual worldwide turnover of the relevant business (with a minimum fine set at €10 million). More serious breaches will attract fines of up to 4% of the annual worldwide turnover of the relevant business (with a minimum fine set at €20 million). The regulatory authorities will be able to conduct data protection audits and to require the provision of any relevant information. The maximum fine for breach of the UK’s current data protection legislation is set at £500,000.
The significant penalties for non-compliance are expected to quickly move data protection issues to the forefront of the minds of businesses. Businesses gathering and utilising data on any EU-based individuals should consider the following steps:
- Understand the new regulatory framework and, where relevant, identity the jurisdiction that will act as the ‘lead supervisory authority’ of the business.
- Review the processes by which consent to data processing is obtained, and the uses to which such data will be put is explained.
- Review any data processing agreements to ensure compliance with the new obligations on data controllers and data processors under the GDPR.
- Review the mechanisms by which information relating to EU data subjects is transferred outside the EU (whether to another group company or an external provider), and ensure that they are appropriate to permit such data transfers.
- Consider the data gathering and processing activities of the business and whether these give rise to the need to appoint a data protection officer.
- Review data breach policies to ensure compliance with the requirements of the GDPR.
Internal Action Points
Businesses should consider doing the following:
a) Identifying business functions which depend on personal data and list these. For example this may include:
- Human resources (HR)
- Customer services
- Frontline staff
b) Identifying the types of personal data collected, the sources for collection, and the systems and technologies used for this purpose:
i. Types of personal data collected
- Candidates and current employees
- Individual customers and suppliers
- Individuals at customer and supplier organisations
ii. The sources for collection
- Online account application forms
- Business-acceptance procedures
- Gathering business cards at meetings
- Personal data about job candidates is sometimes collected from third-party sources, such as background screening services and the Disclosure and Barring Service. Employee personal data may also be collected by monitoring e-mails and telephone conversations
iii. Systems and technologies used
- Radio-frequency identification (RFID)
- Global positioning systems (GPS)
- Mobile apps
- HR and marketing databases
- Sales and trading platforms
- E-commerce and m-commerce systems
- Word-processing systems
- All forms of communication systems, including telephones and portable devices
c) Considering if information is to be shared with other EU countries and/or globally and make a note of these?
- How are you ensuring compliance currently with other legal requirements of the other countries?
d) Identifying and documenting the use of personal data throughout the business including:
- Who it is collected from
- At what stage it is collected
- How it is collected
- What is it being collected for
- How it is being processed/used
- Where it is stored
- Why it is stored
- When it is erased and how
- It is updated/rectified
e) Identifying how you are currently capturing the customers consent to the processing of their data, what the customer is told at the point they consent, how you have been recording and storing this consent and how the customer can withdraw this consent.
f) Data Portability - consider how you share the customer’s data currently, who you share it with and in what format?
g) Data Subject Requests – what are you doing currently with these requests?
Consider Whether You Are Ever Processing Children’s Information (Separate Rules Now Apply)
You should carry out a full and thorough risk assessment across the business to identify where possible weaknesses in your existing processing of personal data may lie and address these weaknesses.
You should identify what documents you have in place to deal with data protection at the moment and whether these need updating. Such documents may include:
- ‘Use of Information’ statements in agreement documentation including pre- and post- contract communications
- Privacy Statements
- Privacy and/or Data Protection Policy
- Agreements with third parties whereby you are passing them or they are passing you personal data
- Record keeping policy (if any)
- Internal documents concerning personal data
- Complaints policy/dispute resolution
You should consider your relationship with the Information Commissioners Office and how this will need developing to include the introduction of:
- Notification procedures in case of a breach of data protection – introduce a data breach response plan
- Rectification procedures if a breach is identified
- You should also ensure your registration details are up to date
You should also record all data processing activities and ensure these records are available to provide to the ICO or other regulatory authority on request.
Timothy Anson, London, Paralegal also contributed to this article.