This guide provides an introduction to the General Data Protection Regulation.
On 25 May 2018 the UK will see the biggest ever change to its Data Protection laws with the implementation of the EU General Data Protection Regulation which will replace the current Data Protection Act 1998.
2. What do the current Data Protection laws look like?
All of the EU member states have taken divergent approaches to implementing Data Protection legislation, creating compliance difficulties for many businesses operating across the EU.
The General Data Protection Regulation will harmonise all of EU’s Data Protection laws.
3. What is Data?
Data is categorised as either Personal Data or Sensitive Personal Data.
- Personal Data - meaning information that relates to an identifiable person, for example - personal contact details, bank account details and CCTV footage
- Sensitive Personal Data - includes genetic and biometric data as well as data regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and sexual orientation, it also includes criminal convictions
4. Key Terms
- Data Subjects: individuals to whom data relates i.e. employees, customers, consumers
- Data Controllers: organisations that collect Personal Data and responsible for and must be able to demonstrate compliance with the principles i.e. employers, businesses, companies
- Data Processor: a person or body which processes Personal Data on behalf of a Data Controller i.e. outsourced payroll, HMRC
5. What is processing?
This is simply any adjective you can use to describe doing something with data.
The obvious examples are collecting, copying, sharing, disclosing and using but it also includes acts such as storing, archiving, deleting, shredding and destroying.
Legal basis for processing
For processing to be lawful under the GDPR, you need to identify a legal basis before you can process Personal Data.
The legal bases available for processing Personal Data are:
- consent of the Data Subject
- processing is necessary for the performance of a contract with the Data Subject or to take steps to enter into a contract
- processing is necessary for compliance with a legal obligation
- processing is necessary to protect the vital interests of a Data Subject or another person
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller
- necessary for the purposes of legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the Data Subject
6. The problem with consent
The giving of consent by a Data Subject is one of the gateways through which a Data Controller can establish a legal basis for processing Personal Data.
The GDPR sets out stricter and more detailed conditions for the use of consent making it harder to obtain:
- consent must be freely given, specific, informed and unambiguous
- it will not be considered freely given if there is no genuine free choice, the onus is on the Data Controller to show that the Data Subject gave consent
- if consent is given by means of a written declaration, the request must be made in a manner that is clearly distinguishable from other aspects of the document
- a Data Subject has the right to withdraw consent at any time and must be told of this right by the Data Controller
- it must be as easy to withdraw consent as it is to give it
7. The GDPR principles
Once a Data Controller has one or more of the legal bases to process data then it must comply with all of the following principles:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
- processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
There are also restrictions to transferring data outside the European Economic Area.
One of the biggest changes under the GDPR is the new principle of accountability; the GDPR requires Data Controllers to demonstrate compliance with the principles.
This manifests itself in enhanced obligations for Data Controllers, including a requirement to keep extensive internal records of data processing operations, which must be produced to the supervisory authority for inspection on request.
9. Data Protection Impact Assessments
Another duty under the accountability principle is for Data Controllers to complete data protection impact assessments (PIAs) where the processing uses new technologies that is likely to result in a high risk to Data Subjects.
10. Data Protection Officers
For certain organisations there will be a legal requirement to appoint a Data Protection Officer (DPO). This includes, for example:
- where its core activities involve systematic monitoring or large-scale processing of Sensitive Data
- if it is a public body.
The transparency principle requires Data Controllers to provide significantly more information than at present.
This will include telling employees, job applicants and customers for example:
- the source of the data (unless it originates from the Data Subject)
- who will receive Personal Data (or the categories of recipients)
- the period for which data will be stored, or if that is not possible the criteria used to determine the period
- the existence of Data Subject rights
- the right to object to processing
- the right to withdraw consent
- the right to complain to the regulator
- the legal basis for the transfer of the data to a non-EU third country
12. Data Subject rights
Data subjects have certain rights under the GDPR including the right to:
- access their own personal data (and a fee cannot be charged in the vast majority of cases)
- correct personal data
- erase personal data
- restrict data processing
- object to data processing
- receive a copy of their personal data or transfer their personal data to another data controller
- not be subject to automated decision-making
- be notified of a data security breach
13. Data processors
The GDPR tightens the rules on the use of Data Processors. Currently, only Data Controllers have liability to Data Subjects for compliance. Under the revised rules, Data Processors will have a duty to comply and face potential liability if they fail.
14. Personal Data breaches
A Personal Data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of Personal Data.
Data breach reporting
Data Controllers discovering a Personal Data breach must notify the regulator promptly and within 72 hours, if feasible.
The notification requirement does not apply if the breach is unlikely to result in a risk to Data Subjects (for example, because all data on a laptop was encrypted).
If there is a high risk to a Data Subject, he or she must also be told by the Data Controller.
Data breach register
Records must be kept of all data breaches and action taken, including those in respect of which there was no obligation to notify the regulator.
The rules in the GDPR are underpinned by a tougher penalty regime. The maximum penalty is up to 4% of annual worldwide turnover of the preceding financial year or 20 million Euros (whichever is the greater).
The investigative powers of the regulator include a power to carry out audits, as well as to require information to be provided, and to obtain access to premises.
16. Who is the Regulator?
The Regulator for Data Protection in the UK is the Information Commissioner’s Officer (ICO).