Over the past 18 months there has been a lot of talk about the General Data Protection Regulation (GDPR) but what is it and how will it impact your business?
What is GDPR?
Data protection is viewed by both the European Union and the UK Government as the cornerstone of the digital economy so, in order for the digital economy to grow, there is a need to update our data protection laws.
The current legislation, the Data Protection Act 1998 (which implements the 1995 Data Protection Directive) was finalised in a very different technological world. Google was yet to be incorporated and the likes of Nokia and Ericsson were producing the must have mobile phones.
The GDPR took 4 years to negotiate and has been described by the Information Commissioner as the biggest change to data protection law for a generation. It is part of a broader package which also includes an ePrivacy Regulation, which is still being negotiated but will update our laws on cookies and online marketing.
What is changing?
Processor Obligations – The Data Protection Act 1998 only places obligations on data controllers (the organisation that determines the purpose for which personal data is collected and used) – there are currently no statutory data protection obligations for data processors (those organisations that simply process personal data in accordance with a data controllers instructions).
With the introduction of statutory obligations for data processors, the GDPR will have significant implications for all data processors, especially any SaaS and Cloud services. There is now a significant regulatory exposure for companies; something which was not previously a concern for them. It is important to be aware of these new regulatory burdens but it is also important to understand that good GDPR compliance will be beneficial from both a trust and commercial perspective.
Wider Territorial Scope – As well as applying to European-based organisations the GDPR will also apply to any company either offering goods or services to European residents or monitoring their behaviour even where such companies have no physical presence in the EU. This obviously has consequences for the UK once we Brexit.
“This will see the end of pre-ticked boxes and consent buried in privacy policies or contract terms”
Consent – Under the GDPR consent must be freely given, specific, informed, unambiguous, distinguishable and easy to withdraw as well as specific to each processing activity. This will see the end of pre-ticked boxes and consent buried in privacy policies or contract terms. It must be as easy to withdraw as it is to give. It’s important to remember that consent is not the be all and end all, there are other legal basis for processing personal data such as performance of a contract and legitimate interests.
Contractual requirements – All contracts that involve the processing of any personal data, no matter how insignificant, must be in writing. In addition to this, there are other topics which need to be addressed in both new and existing contracts such as audit rights and the approval of sub-processors.
Data Protection Officers – If your core business activities include large-scale regular and systematic monitoring of individuals, or large scale processing of sensitive personal data, you will be required to appoint a DPO no matter how small your business is. DPOs need to be data protection experts and they must be able to operate independently, so there are restrictions on who can and cannot fulfil the role.
Definition of Personal Data – What constitutes personal data is often a subject of much debate. The existing legislation has been added to by the courts and now the GDPR has expressly included location data and online identifiers such as IP addresses and cookies. It is also important to note, hashed data is also personal data for the purposes of the GDPR.
Breach Notification – Data processors must notify the relevant data controller of any breach without undue delay. Data controllers then must notify the ICO (and in certain circumstances the affected individuals) within 72 hours of becoming aware of the breach. Each notification must contain specified information, including details of the compromised data and the potential impact of the breach.
Harsher Penalties – The maximum fine that the ICO can currently impose is £500,000 per breach. Under the GDPR this increases to a maximum fine of €20 million or 4% of global turnover (in the UK this will be £17million or 4% of global turnover), whichever is the greater. There is also a lower tier of the greater of €10 million or 2% of global turnover. This is just the regulatory fines that can be issued, organisations will also need to consider liability between controllers and processors and the possibility of individuals also taking action against them.
As the GDPR is a regulation we don’t actually need legislation to implement it into UK law. However, there are certain elements that are left open to the discretion of member states and there is also the small matter of Brexit to consider, so the Government is planning a new piece of Data Protection Legislation. The new Data Protection Bill was announced in the recent Queen’s Speech and last week DCMS published its Data Protection Bill statement of intent, the Bill itself will be published in early September.
Whilst the new law will replicate most of the GDPR there will be additional elements in the Data Protection Bill about processing for police and criminal justice purposes and it is likely that the government will propose restrictions on the internet, which will be interesting to see. If the government looks to deviate too far from the GDPR in the Data Protection Bill they are likely to face difficulty getting the Bill through Parliament.
How should I Prepare?
Accountability – There is a theme of accountability running throughout the GDPR which requires organisations to have a continuous understanding of their data flows. All organisations should conduct a data mapping exercise and an audit to ensure any unnecessary or outdated personal data is deleted. This is something that will need to be repeated at regular intervals throughout the lifecycle of the data.
DPO – Consider if you are required to appoint a DPO and even if you are not required to do so you should consider designating responsibility for data protection to a specific individual as this is a transformation project.
Policies – All policies and privacy notices must be reviewed, updated or created to ensure compliance. This will be of particular significance for data processors.
Consent – If you are relying on consent as a grounds for processing it must be GDPR compliant, it should be active and organisations should not rely on pre-ticked boxes. The consent must also relate specifically to the purposes of the processing. Where there are multiple processes, layered consent may be required. You must also establish a process for evidencing consent.
Evidencing Compliance – As I mentioned above, there is a general theme of accountability running through the GDPR so organisations will need to keep paper trails of decisions in respect of data processing activity and carrying out privacy impact assessments where required. This does not apply if you employ less than 250 people unless your data processing is likely to result in a risk to the individual’s data protection rights, if the processing is not occasional or the processing includes ‘special categories’ of data (what is currently defined as sensitive personal data under the Data Protection Act).
Internal Breach Procedures – Given the new breach notification requirements, breach procedures must be implemented and updated regularly, including preparation of incident response plans.
Training – All members of staff will need to be trained on the new rules, training will need to be ongoing and tailored to specific functions within the business.
“All insurance cover should be reviewed to check that coverage extends to data breaches”
Review – You must check all contracts including existing supply chains, contracts and templates to establish what updates may be required in preparation for the GDPR. In addition to this, all insurance cover should be reviewed to check that coverage extends to data breaches.
All organisations will be impacted by the GDPR in one way or another so it is important to not leave your preparation until the last minute. An ability to demonstrate good GDPR compliance will increase confidence in your business which in turn will increase the value of your business. It will also assist companies in streamlining their data assets which can, in turn, assist with the commercialisation of those assets.
This is not just a legal issue, it is something that requires buy in from all elements of your business and something that needs to become a foundation for all business decisions moving forward.
Chris specialises in data protection and privacy, regularly advising clients on national and international data protection matters.