21 March 2018

GDPR – It’s nearly here are you ready?

We finally join the herd, and thought a general overview of what is changing might assist you in readying yourself for May 25th 2018.

Impact & Key Concepts

GDPR introduces some new concepts and approaches, though core concepts of personal data, data controllers and data processors are broadly the same. It remains founded on a ‘principles’ based approach.

GDPR applies to the processing (any use of personal data including storage and destruction) of personal data (information relating to an identifiable living individual) by data controllers (a person who determines the purposes and means of processing) or data processors (a person who processes on behalf of a controller).

Personal data must be processed in accordance with the revised seven data protection principles which require (1) fair, lawful and transparent processing, (2) limitation of the purposes of processing, (3) data minimization, (4) accuracy, (5) limitations on storage and (6) appropriate technical and organizational measures to ensure integrity and confidentiality, and (7) accountability.

European citizens’ data rights are the heart of the GDPR:

Key Changes

Increased enforcement powers – Fines for breaches in the UK are currently limited to £500,000. This will be increased to €20 million or 4% of annual turnover depending on the nature of the breach, with the highest fines applying to breaches of the data protection principles and data subject rights.

Consent will be harder to prove and perhaps obtain – Consent is one of the conditions which can be relied on for data processing.  The GDPR requires informed and unambiguous consent. Proving you have that consent is on the data controller. Some entities like public bodies will no longer be automatically able to rely on their own ‘legitimate interests’ for processing and will again have to identify alternative grounds.

A risk based approach to compliance – Organisations will have to conduct regular, we advise annual, audits of risk and compliance.  These reviews will need to be documented and actions to show compliance is an ongoing process.

Privacy by design and default – You need to keep up with the current standards and practice as they evolve.  You can factor in the nature, scope and context of the processing in your systems design, but will be required to show data protection ‘by design and by default’ at the time of determination of the means of processing and the processing itself.  This recast and strengthens the current duty under the Seventh Data Protection Principle.

Privacy Impact Assessments (PIA’s) – organisations will be required to carry out PIAs before introducing processing by new technologies likely to pose a risk to data privacy and in other circumstances to be specified.

Records of Processing Activities – Organisations will need to maintain detailed documentation recording their processing activities. The information required includes the purposes of the processing, categories of data subjects, personal data, and those to whom data will be disclosed and general technical and security measures in place.

Appoint a Data Protection Officer – Some organizations, including all public authorities, will have to appoint a Data Protection Officer to advise on and monitor GDPR compliance.

New Breach Notification Rules – Data breaches will have to be notified to the regulator within 72 hours. Where a high risk to individuals arises, the data subjects will also have to be notified unless an exception applies.

Additional Rights for Individuals – The right to be forgotten (erasure), a right to object to profiling, and a right to data portability.

Less Time for Subject Access Requests – the time limit for responding to requests will be reduced from 40 days to 1 month and the information which must be provided will be extended.

The Legal Oversight comprises Authorities/Regulators and European Courts:

Of growing importance is The European Data Protection Supervisor (EDPS) – the European Union’s (EU) independent data protection authority.

Their purpose is to:

  • Monitor and ensure the protection of personal data and privacy when EU institutions and bodies process the personal information of individuals;
  • Advise EU institutions and bodies on all matters relating to the processing of personal information. We are consulted by the EU legislator on proposals for legislation and new policy developments that may affect privacy;
  • Monitor new technology that may affect the protection of personal information;
  • Intervene before the Court of Justice of the EU to provide expert advice on interpreting data protection law;
  • Cooperate with national supervisory authorities and other supervisory bodies to improve consistency in protecting personal information.

There is also the new European Data Protection Board, replacing the old ‘Article 29 Working Party,’ whose members were the EU’s national supervisory authorities (regulators), the European Data Protection Supervisor (EDPS) and the European Commission – so the same core membership but with independent Secretariat and identity.  The EU set up the European Data Protection Board (EDPB) in preparation for the General Data Protection Regulation to issue guidance for the new era of the GDPR, and to resolve disputes between national supervisory authorities (regulators).

Developing News:

The media interest in the data use and data gathering of Cambridge Analytica is showing all too clearly how not having clear consents for the data you gather and process will have serious ramifications.  The allegations about Cambridge Analytica are now being investigated by regulators and politicians on both sides of the Atlantic.  Additionally the impact on Facebook’s reputation for their alleged failures to stop the data gathering, retention and use of data, is another demonstration of the importance of taking data control and compliance seriously.  The UK ICO have announced an investigation and search under warrant of Cambridge Analytica’s systems and their use of Facebook sourced data.  All this underlines the importance of having legitimate sources of data and proper consent.