New data protection rules from May 2018
A new EU data protection framework, the General Data Protection Regulation (GDPR), was adopted on 8 April 2016 and takes effect from 25 May 2018.
The GDPR builds on the concepts and principles in the current Data Protection Act (DPA). There are however some significant enhancements and new elements, the most important of which are summarised below.
The Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Affected organisations therefore need to act now to ensure they are compliant by May 2018.
Given the breadth and complexity of the GDPR this article is intended to act as an introduction only, and not as guidance.
Who does the GDPR apply to?
The GDPR applies to both controllers and processors of personal data. Controllers determine how and why personal data is processed. Processors act on behalf of controllers.
Data controllers are not relieved of their obligations where a processor is involved, instead the GDPR imposes further obligations regarding the contracts they hold with processors.
Like the DPA, the GDPR applies to personal data. The definition of this has however been expanded, and can now include online identifiers such as IP addresses and data which is given a pseudonym (for example key coding, where names etc. are changed into numbers based on a key).
Anyone currently subject to the DPA is very likely to also be subject to the GDPR.
The GDPR can apply to data controllers or processors which either:
- Operate within the EU, or
- Operate outside the EU, but their activities relate to EU individuals.
The Government has indicated it will implement an equivalent or alternative legal mechanism to the GDPR once the UK leaves the EU. The expectation is that this will largely follow the GDPR given the support expressed by the Government to date.
Data protection under the GDPR
The GDPR includes a number of data protection principles which set out the main responsibilities for organisations. These principles are similar to those in the DPA, but with some added detail.
A key change is that the GDPR introduces a new principle of accountability. This requires organisations to actively show how they comply with data protection principles, for example by:
- Having effective policies and procedures in place.
- Providing comprehensive, clear and transparent privacy policies (see below).
- Appointing a data protection officer (DPO) where appropriate.
- Implementing technical and organisational measures to show that they have considered and integrated data protection into their processing activities (referred to as data protection by design and default).
- Carrying out data protection impact assessments (also known as privacy impact assessments) in certain high risk circumstances.
Other important new measures and changes introduced by the GDPR include:
Lawful bases for processing personal data
Under the GDPR, organisations have to identify and document their lawful basis for processing data. The lawful bases are similar to those previously referred to under the DPA as conditions for processing, and include consent of the data subject and where processing is necessary for performance of a contract.
Identifying lawful basis is more important under the GDPR than the DPA: the basis has to be included in the organisation’s privacy notice (i.e. the information given to an individual when the organisation is collecting their data), and can affect the rights which individuals have.
The GDPR tightens the rules around consent given by data subjects:
- Consent must be specific, informed, unambiguous and given freely.
- There must be a positive opt-in – consent cannot be inferred from silence, inactivity or pre-ticked boxes.
- All requests for consent must be separate from other terms and conditions.
- It must be easy for individuals to withdraw consent.
Individuals generally have more rights (see below) where an organisation relies on consent as a lawful basis.
Existing consents will only be acceptable under the GDPR if they meet these new, stricter requirements.
The GDPR brings in special protections for dealing with the personal data of children:
- If services are offered directly to children (e.g. through social networks) the privacy notice must be written in a clear, plain way that the child will understand.
- If online services are offered to children a parent or guardian’s consent may be required to process the data.
Transfer of data
The GDPR imposes restrictions on the transfer of personal data outside the EU. Transfers can only be made outside the EU where certain conditions are met, including that the receiving organisation has provided adequate safeguards, or where the transfer is made with the individual’s informed consent or is necessary for the performance of a contract.
Organisations must notify the Information Commissioner’s Office (ICO) within 72 hours of any personal data breach which is likely to result in a risk to the rights and freedoms of individuals.
Individuals also need to be informed directly and without undue delay If there is likely to be a high risk to their rights and freedoms as the result of a breach.
A fine of up to 10 million Euros or 2% of global turnover can apply for failure to notify a breach, as well as penalties for the breach itself.
Individual rights under the GDPR
Individuals have new and strengthened rights under the GDPR with regards to their personal data, including:
- The right to be informed: organisations have to be transparent with individuals as to how they use their personal data.
- This includes providing information on the organisation’s data retention policies and the individual’s rights under the GDPR.
- This is normally achieved by providing a privacy notice
- Requirements under the GDPR are more detailed, so existing privacy notices will need to be reviewed to make sure they are compliant.
- The right of access – individuals have the right to confirm whether their personal data is being processed and to access it.
- The right to rectification – individuals are entitled to have personal data corrected if it is incorrect or incomplete.
- The right to erasure – also known as the right to be forgotten – individuals can request the deletion or removal of personal data in specific circumstances (including where they withdraw consent or where the data is no longer necessary for the purpose for which it was collected).
- The right to restrict processing – individuals can block or supress processing of personal data.
- A new right to data portability – individuals can request that their data is supplied to them in a commonly used format so it can be transferred easily to another data controller.
- The right to object – individuals can object to their data being used for direct marketing or certain other reasons (including historical or scientific research).
- Rights in relation to automated decision making and profiling – individuals have safeguards against the risk of a potentially damaging decision being taken without human intervention.
The timescale for complying with many of these rights will be reduced from the current 40 days to one month.
What do organisations need to do now?
Any businesses that are data controllers or processors need to consider what new obligations they will have under the GDPR, and what changes they may need to make before May 2018 to ensure they are compliant.
As an initial step, they should raise awareness of the impending changes with key decision makers and personnel in the business.
In terms of practical steps, organisations are recommended by the ICO to:
- Document what personal data they hold, where it came from and who it is shared with.
- Review current privacy notices to see what changes are needed.
- Check that procedures cover all the new and expanded rights individuals have.
- Identify their lawful basis for processing data.
- Review how they seek, record and manage consent to see if this is up to the GDPR standard.
- Make sure the right procedures are in place to report data breaches.
- Designate a Data Protection Officer if necessary.
The ICO website has a number of helpful webinars and documents to assist organisations, including:
- A more detailed Overview of the GDPR.
- A 12 steps to take now summary.
- A Getting ready for the GDPR toolkit
A follow up article intended to address how the GDPR will apply to ATT members by considering some Frequently Asked Questions (FAQs) can be found here.