1. Introduction
In April 2016, after several years of negotiations between the European Parliament, the European Commission and the Council of Ministers, the European Parliament formally ratified the General Data Protection Regulation (GDPR), the first major changes to data protection law in Europe since 1995. As a regulation (rather than a directive), the GDPR will be directly applicable in every member state and enforceable from 25 May 2018.
Although the GDPR will not come into force for two years, it will make far-reaching changes to the existing regime. As a result, every organisation that collects, processes or stores personal data should be taking steps now to ensure it can achieve compliance.
This note, whilst by no means exhaustive, considers some of the more important changes of which you should be aware.
2. Key Changes
Data Controllers and Data Processors – Obligations and Accountability
The GDPR imposes direct obligations on data processors for the first time – previously, only data controllers had direct obligations, some of which they flowed down contractually to processors.
The GDPR also places additional accountability obligations on both data controllers and data processors to adopt new technical and organisational measures to demonstrate compliance. This includes maintaining certain documents and records of data processing; undertaking data protection impact assessments where privacy breach risks are high (to identify and minimise the risks to their data subjects); and implementing data protection “by design” and default (discussed further below).
Organisations must also comply with new transparency rules relating to the information they give to data subjects about the processing of their personal data.
Data Protection Officers (“DPO”)
A DPO is a designated individual within an organisation with specific responsibility for data protection compliance.
While any organisation may appoint a DPO, an appointment will be mandatory under the GDPR for public sector bodies, large organisations (employing 250 people or more) and those organisations that regularly and systematically monitor data subjects.
The DPO must be allowed to operate independently and must report directly to management level. Duties of the DPO will include:
- informing and advising the organisation of its data protection obligations;
- monitoring the implementation and application of the organisation’s data protection policies, including the assignment of responsibilities and the training of staff;
- monitoring the organisation’s compliance with its data protection obligations; and
- ensuring that all relevant documentation/ data processing records are maintained.
A DPO might be an existing employee or an outside consultant and a group of companies may appoint a single DPO to act for the corporate group.
Territorial Scope Creep
The current data protection regime in Europe applies to organisations that are established in the EU or that use equipment in the EU for processing data. The new regime will also catch organisations based outside the EU, who process personal data about data subjects in the EU for the purposes of offering goods or services to them or monitoring their behaviour.
It is currently unclear how the European Commission expects to enforce this territorial scope creep. It is possible, however, that Data Protection Authorities (“DPAs”) or courts may seek to prohibit European customers from dealing with non-EU vendors that do not comply with the GDPR.
In any event, companies that have no EU presence but who offer goods or services to EU individuals or monitor their behaviour should prepare to comply with the GDPR, including the designation of an EU representative by written mandate.
Consent
If a data controller uses data subject consent as its justification for its processing of personal data, such consent must be freely given, specific, informed and unambiguous, shown either by a statement or a clear affirmative action signifying agreement to the processing. Consent for the processing of sensitive personal data must be “explicit”. These are stricter conditions than those under the present regime. The burden of proof will be on the data controller to show that consent was given. In addition, the data subject can withdraw their consent at any time.
This obligation raises specific issues for the use of consent in the employment context. The Recitals to the GDPR provide that consent is not freely given if the data subject had no genuine and free choice and is unable to withdraw or refuse consent without detriment – and the question of whether an employee can ever freely give their consent to data processing by their employer is one that remains unresolved (although the Article 29 Working Party and several DPAs have opined that employee consent can never be deemed to be freely given).
Organisations should therefore determine if they are currently relying on individual consents and, if so, whether those existing consents meet the new conditions.
Privacy by Design
Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start of the project, for example through the pseudonymisation of personal data, or through employee training programmes.
Data controllers will responsible for designing and implementing mechanisms to protect personal data in compliance with the GDPR. Controllers must ensure that, by default, personal data is:
- collected and used only as necessary for specific purposes;
- retained no longer than necessary; and
- not made available to an indefinite number of persons.
Breach Notification
Data controllers will be obliged to notify most data breaches to the competent DPA without undue delay and, where possible, within 72 hours of becoming aware of the breach. Notification will not need to be made only if the breach is unlikely to result in a risk to the rights and freedoms of individuals.
In some cases, where the breach is likely to result in a high risk to the rights and freedoms of the affected data subjects, the controller will also have to notify those individuals without undue delay.
Right to be Forgotten
Data subjects will be able to demand that organisations erase records of their personal information, but this will only apply where there is "no legitimate reason" for the data to be retained.
The burden of proof will be on the organisation to demonstrate that it has legitimate grounds to retain an individual’s data, which override the interests of the data subject. Organisations may also face individuals who have an unrealistic expectation of their right to be forgotten.
Data controllers will need to ensure that they (and their processors) have processes in place to enable erasure of personal data – including where the data has been made public, for example through links.
3. Why Should I Care?
Despite the fact that the GDPR will not come into force until 2018, it is important that any organisation that collects, processes or stores personal data is aware of the changes that will occur and is fully prepared and compliant before then. The new processes and working practices necessary to ensure compliance will take time to design and implement effectively.
Sanctions
The GDPR imposes a tiered system of penalties depending on the nature, gravity and duration of the breach. At the top end, a penalty of up to 20 million Euros or 4% of the organisation’s annual worldwide turnover (whichever is greater) may be imposed. Examples of infringements attracting a 4% penalty include breaches of the basic principles of processing (such as conditions for consent), and breaches of requirements relating to international transfers of personal data.
For other specific infringements that are considered less serious, a penalty of up to 10 million Euros or 2% of the organisation’s annual worldwide turnover may be imposed.
4. What Should I Be Doing Now?
Be accountable – Look at Internal Processes, Policies and Procedures
Organisations should be taking steps now to establish appropriate frameworks. This includes promoting a culture of privacy compliance as well as monitoring, reviewing and assessing current data processing procedures with the aim of minimising data processing and retention of data. Safeguards to all data processing activities should be established and a clear process for notifying breaches should be created including the adoption of a response plan. Organisations may need to update their internal and external policies so that they are transparent and easily accessible. They should also consider producing a template privacy impact assessment and training relevant employees on how to use it.
Consider whether or not to and how to appoint a DPO
As noted above, appointing a DPO will be mandatory for some organisations.
While DPOs have been common for many years in certain countries (such as Germany), in the UK, it is likely that there will be a shortage of experienced DPOs. In the case of larger companies or companies with more complex data processing operations, a DPO team may be required and the resources required by the DPOs will be significant. Organisations should therefore be thinking now about how to best recruit and train DPOs and starting to plan for the necessary resourcing requirements.
Adopt Privacy by Design
Taking a “privacy by design” approach will be essential in minimising privacy risks and building trust with employees, suppliers, customers and other third parties. Designing projects, processes, products or systems with privacy in mind at the outset can lead to benefits such as:
- potential problems being identified and addressed earlier, which often makes them simpler and less costly to resolve;
- an increased awareness of privacy and data protection rights and responsibilities across the entire organisation; and
- legal obligations being met, thus avoiding both negative publicity and potential regulatory enforcement action.
If you would like any further information on the GDPR or any other data protection/privacy issue, please contact Rhys Williams on [email protected] or call +44 (0)1223 225284.
________________________________________