The General Data Protection Regulation (GDPR), which replaces the EU Data Protection Directive, is a comprehensive data protection regime aimed at achieving a high level of security of network and information systems across the EU and giving individuals greater control over their own personal data. The GDPR will apply to all EU member states from 25 May 2018 and will impose significant compliance issues for any organisation which holds 'protected data'. Although it is European legislation, the Government has indicated that the GDPR will remain on the UK statute books after Brexit. To this end, the Data Protection Bill 2017 was introduced to the House of Lords on 13 September 2017. The Bill transfers the GDPR into UK law, replacing the Data Protection Act 1998 (DPA) and building on existing data protection rights in order to take into account developments in digital technology and the way organisations often collect a wide range of information about people.
The GDPR regulates the processing of protected data by organisations operating within the EU and those outside the EU that offer goods or services to individuals in the EU. It builds on the existing data protection principles as set out in the DPA, but also makes significant changes, imposing stricter rules concerning the holding and management of data and also the use of personal data for commercial purposes. The most significant addition is the 'accountability principle', whereby data controllers must keep records to demonstrate how they comply with the data protection principles – for example by documenting the decisions taken about a processing activity.
The steps necessary to comply with the GDPR will depend on the amount of data your business holds and what it is used for. Organisations that carry out large-scale, systematic monitoring of individuals (for example, online behaviour tracking) and/or large-scale processing of special categories of data or data relating to criminal convictions and offences must appoint a Data Protection Officer to have responsibility for and control over GDPR compliance.
What is Protected Data?
The data protected by the GDPR is personal data. The processing of personal data includes its collection, recording, use, storage, adaptation or alteration, disclosure and destruction. Protected data must be processed lawfully, satisfying at least one of the acceptable processing conditions, fairly and in a transparent manner. The GDPR's definition of personal data is more detailed and broader than that used hitherto. It allows for a wide range of personal identifiers to constitute personal data, for example information such as an IP address, as this relates to an identifiable person (the data subject). Generalised data is not covered, however, unless its possession allows a person to be identified. Those processing personal data do so either as a data controller or as a data processor. The data controller determines the purposes and means of processing of personal data. Data processors may only process personal data in accordance with the instructions of the data controller. However, unlike the Directive it replaces, the GDPR places direct statutory obligations on data processors, so they may be subject to heavy fines.
The concept of sensitive personal data remains. The GDPR refers to 'special categories of personal data', which are broadly the same as in the DPA but have been expanded to include genetic data and biometric data where this is processed in order to uniquely identify an individual.
Key to the GDPR is the concept of privacy or data protection 'by design', whereby data protection risks must be considered at all stages of data handling and storage to ensure compliance. This will necessitate not only a thorough audit of existing practices to ensure compliance but also the involvement of those with data protection expertise in the implementation of any new project, to ensure that privacy concerns are an integral part of the design.
The minimum necessary amount of personal data must be collected (privacy or data protection 'by default') and it must be processed for a specific purpose and for that purpose only. In addition, access to data must be restricted to only those personnel necessary and data should not be retained for longer than is needed.
Under the GDPR, individuals have the same rights as under the DPA (e.g. the right to access data and to amend inaccurate data, the right not to be subject to automated decision-making and the right to object to direct marketing) plus some new rights. These include the right 'to be forgotten' – i.e. to have their personal data erased – and the right to data portability, whereby an individual has the right to receive their personal data in machine readable form where this has been provided to a data controller with their consent or for the performance of a contract and the data is processed by automated means. Alternatively, an individual can request that the data be transferred from one data controller to another. When a subject access request is received, the response should explain the lawful basis for processing the data held on the individual.
Under the GDPR, subject access requests must be met without undue delay and certainly within one month, unless an extension is agreed. The current £10 fee will no longer be payable in most cases.
Processing by Consent
For the processing of personal data to comply with the GDPR, it must be done on a lawful basis. Currently, consent is one of the most widely used grounds for justifying such processing. However, the new rights given to individuals as to how information about them is collected and held set a very high standard for consent so that they have genuine choice and control. An indication of consent must be unambiguous, involve a clear affirmative action and should be separate from other terms and conditions. It should not generally be a precondition of signing up to a service and the GDPR specifically bans pre-ticked opt-in boxes. Specific consent is required for distinct processing operations and clear records must be kept to demonstrate that consent was obtained. Individuals have the specific right to object to the processing of their personal data and the right to withdraw their consent at any time where no other lawful basis for processing the data exists.
Employers should be aware that broad consent to process personal data given by an employee in their contract of employment will not be a valid processing condition. Furthermore, the requirement that consent must be freely given will make it difficult for employers and other organisations in a position of power to get valid consent, given the imbalance of power in the relationship. Also, consent could be withdrawn at any time. Employers are therefore advised to identify another legal basis for processing personal data under the GDPR, such as where doing so is necessary in order to comply with a legal obligation such as for tax purposes or to provide statutory employment entitlements such as maternity or paternity pay, sick pay or annual leave.
The rules on communicating privacy information under the GDPR are more detailed and specific than in the DPA. The information provided to people about how you process their personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
The GDPR requires that more information is provided in a privacy notice than the DPA does, including the lawful basis for processing the data. For example, employers are required to provide employees and job applicants with information on how their personal information will be used. Under the GDPR, this will include:
- The name and contact details of their employer as data controller;
- The name and contact details of the Data Protection Officer where applicable;
- The purpose for which the data will be processed and the legal basis for doing so;
- How long the data will be stored for;
- The categories of data to be processed;
- Any recipients of the data;
- If the data will be transferred outside the European Economic Area;
- Information on the right to make a subject access request;
- Information on the right to withdraw consent or object to processing;
- Information on the right to have personal data deleted or rectified in certain instances;
- Information on any automated decision-making;
- What happens if the individual fails to provide the data necessary to enter into a contract of employment; and
- Information on the right to lodge a complaint with a data protection supervisory authority – i.e. the Information Commissioner's Office (ICO).
For further information on privacy notices, see the website of the ICO.
It will be necessary to make sure everyone who has access to or processes personal data is aware of the GDPR and the need to ensure compliance with its requirements. Given the scale of the task, a carefully planned approach and the appointment of a team with the necessary skills to see it through to its fulfilment are essential.
The list below contains the 'bare bones' of compliance – there will be additional issues if you export data abroad, make use of 'bought-in' data or share your data.
- Create a record of the personal data you hold, specifying whether or not it is sensitive personal data. Note whether the individuals concerned are employees, customers, suppliers, former customers or suppliers, or useful contacts/marketing contacts. State the reason and lawful basis for any data processing, the origin of the data and with whom it is shared;
- Where the processing of data is likely to involve a high risk to the rights and freedoms of individuals, you will need to carry out a privacy impact assessment. As well as specific information on the purpose and the necessity of the processing, this should include an assessment of the potentiality for breach of the GDPR and the formulation of a plan to minimise the risks for all the personal data held;
- Where consent is the method relied on for justifying the handling of personal data, for example from those you wish to contact for marketing purposes, ensure specifically that you have obtained informed consent and can demonstrate this. If you do not have the consent of individuals to be on your mailing lists, either obtain it or remove them from the list. Ensure individuals cannot be added if you do not have informed consent;
- Ensure your procedure for providing privacy information and complying with subject access requests comply with the new rules. It is important to be sure that the provision of information requested does not compromise the safety of any other data;
- Review all documentation relating to data protection issues. Privacy notices should be updated to comply with the more detailed information requirements under the GDPR. All information provided must be easy for those requesting the information to understand;
- Ensure the requirements of the accountability principle are met by creating a documented set of procedures showing how you comply with the GDPR and record evidence of compliance on an ongoing basis. Internal records of data processing operations must be available for inspection by the supervisory authority if requested; and
- Create a system for detection and investigation of any breaches of data security.
All businesses must report data breaches that pose a risk to individuals to the ICO within 72 hours of detection. They must also inform those affected by the breach, supplying information on the nature of the breach and recommendations as to how potential problems can be mitigated.
The penalties for non-compliance with the GDPR can be very substantial – for serious breaches, up to 4 per cent of global turnover or €20 million, whichever is the higher.
The European Commission also plans to introduce a new ePrivacy Regulation to replace the 2002 Directive that is implemented into UK law by the Privacy and Electronic Communications (EC Directive) Regulations 2003. The new legislation is required in order to keep pace with technological developments and will cover cookies, online marketing, and the collection of metadata and behavioural data.
We recommend using the introduction of the GDPR not only as an opportunity to improve the way in which you handle personal information but also to think seriously about the protection of all sensitive and confidential information (such as turnover by category of goods, for example) and security generally.