General Data Protection Regulation

The GDPR will affect all businesses that are currently subject to the Data Protection Directive in the handling of personal data as well as other businesses not currently subject to that regime. Each business will be impacted differently but those businesses that handle a significant amount of personal data will be the most affected and required to adapt to the new rules. It is important to take note of the new regulations as failure to comply will result in a hefty fine or penalty.

The General Data Protection Regulation (GDPR), was published in the Official Journal of the European Union on 4 May 2016. The GDPR will replace the Data Protection Directive with effect from 25 May 2018 thus businesses now have two years within which to comply with the new regime.

The Information Commissioners Office (ICO) has published guidance both on preparing for the GDPR and the priorities for business which, will be a valuable resource in helping business to frame its compliance.

The key features are;

  1. Consent; as a legal basis for processing, will be harder to obtain. Businesses in the UK have, so far, been able to rely on implied consent but now they must be able to demonstrate that an individual gave their consent to the processing and it is unclear, without regulatory guidance, how far an individual's implied consent can be relied upon. The GDPR requires a very high standard of consent, which must be given by a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the individual's agreement to their personal data being processed, such as by a written (including electronic or oral) statement. Businesses will bear the burden of proof that consent was validly obtained. Businesses that rely on consent, as a legal basis for processing personal data, will need to carefully review their existing practices to ensure that any consent they obtain indicates affirmative agreement from the data subject. Mere acquiescence does not constitute valid consent under the GDPR. Businesses must also consider how they will discharge the evidential burden of demonstrating that consent has been obtained. Changes to consent mechanisms will require careful review, and may take time to implement. Businesses will need to;
  • Create awareness among the senior decision makers about these new issues.
  • Audit and document the personal data they hold, recording where it came from and who it is shared with.
  • Review the legal basis for the various types of processing that they carry out and document this.
  • Review privacy notices and put in place a plan for making any changes to comply with the GDPR.
  • Review customer contracts to ensure compliance
  1. Implementation. The GDPR will require businesses to implement technical and organisational measures (such as pseudonymisation see below) to ensure that the requirements of the GDPR are met. In particular businesses must:
  • Take data protection requirements into account from the inception of any new technology, product or service that involves the processing of personal data, with an ongoing requirement to keep those measures up-to-date.
  • Conduct data protection impact assessments (see below) where appropriate.
  • Plan these steps into future product/service cycles.
  • Appoint a data protection officer (particularly, where it is mandatory to do so) with expert knowledge of data protection. Businesses should be aware that if an employee is appointed as the data protection officer, that employee may have protected employment status in some EU member states.
  • Develop and implement a data breach response plan (including designating specific roles and responsibilities, training employees, and preparing template notifications) enabling them to react promptly in the event of a data breach. Complying with the data breach reporting obligations in the GDPR will also entail a significant administrative burden for businesses, which may increase costs.
  1. Pseudonymiseation (that is, the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual, without additional information). Pseudonymous data will still be treated as personal data, but may be subject to fewer restrictions on processing, if the risk of harm is low. It requires that the "key" necessary to identify data subjects from the coded data is kept separately, and is subject to technical and organisational security measures to prevent inadvertent re-identification of the coded data.
  2. New obligations of data processors. The GDPR introduces direct compliance obligations for processors. Whereas under the Data Protection Directive processors generally are not subject to fines or other penalties, under the GDPR processors may be liable to pay fines of up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros, whichever is greater. The GDPR is likely to substantially impact both processors and controllers that engage processors in the following ways:
  • The increased compliance obligations and penalties for processors are likely to result in an increase in the cost of data processing services.
  • Negotiating data processing agreements may become more difficult, as processors will have a greater interest in ensuring that the scope of the controller's instructions is clear.

Summary of other Changes introduced by the GDPR

Greater harmonisation

The GDPR is intended to create a single legal framework that applies across all EU member states. In theory this means that businesses should face a more consistent set of data protection compliance obligations in EU member states although history shows us that this is rarely a consistent continuum.

Expanded territorial scope

Non-EU data controllers and data processors will be subject to the GDPR if they either:

  • Offer goods or services to data subjects in the EU irrespective of whether payment is received.
  • Monitor data subjects' behaviour insofar as their behaviour takes place within the EU.

This means that many non-EU businesses that were not required to comply with the Data Protection Directive will be required to comply with the GDPR. This could have implications for group companies outside the EU.

Increased enforcement powers

NDPAs will be able to impose fines on data controllers and data processors on a two-tier basis which is much more onerous than currently:

Up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is the greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers, and data protection by design and default.

Up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects rights and international data transfers.

NDPAs will have power to carry out audits, as well as to require information to be provided, and to obtain access to premises (in accordance with local law requirements).

Businesses must be able to demonstrate that the data subject gave their consent to the processing and will bear the burden of proof that consent was validly obtained.

When the processing has multiple purposes, the data subject should give their consent to each of the processing purposes.

The data subject shall have the right to withdraw their consent at any time

If the consent has been given by an employee in their contract of employment it may be thought  to be harder to withdraw, however if there is a "clear imbalance" between the parties (for example, the employer and employee relationship) consent is presumed not to be freely given.

Many customers will be currently relying on consent given in this context

The risk-based approach to compliance

The GDPR adopts a risk-based approach to compliance, under which businesses bear responsibility for assessing the degree of risk that their processing activities pose to data subjects. Example of this are, privacy by design and default the new accountability principle and requirement for data controllers to maintain documentation, privacy impact assessments, data security requirements and the appointment of a data protection officer.

Lead enforcement authority

Under the GDPR, a business will be able to deal with a single NDPA as its "lead authority" across the EU. How this will work is not known, however it will require a degree of co-operation between authorities rarely seen previously.

The lead supervising authority (SA)  must work with all other "concerned SAs"; each relevant SA to have a say in decisions on enforcement relating to cross-border processing activities.

There is a mechanism for dealing with disagreements between the SAs involved.

Purely local cases will continue to be handled by the SA for the local jurisdiction.

Design and Impact assessments

Mandatory privacy impact assessments

Businesses will be required to perform data protection impact assessments (PIAs) before any processing that uses new technologies and (taking into account the nature, scope, context and purposes of the processing) is likely to result in a high risk to data subjects, takes place. In particular, PIAs will be required for certain processing operations determined by the NDPA.

Data controllers can carry out a single assessment to address a similar set of similar processing operations that present similar high risks.

Where a PIA indicates that the processing would result in a “high risk” to individuals, the business must consult with the NDPA before any processing taking place.

Record requirements

The GDPR will require businesses to maintain detailed documentation recording their processing activities and the information this record must contain is set out in the GDPR.

Data processors must keep a record of the categories of processing activities it carries out and the GDPR specifies what this record must contain.

These obligations do not apply to an organisation employing fewer than 250 people unless the processing is likely to result in high risk to individuals; the processing is not occasional or the processing includes sensitive personal data.

In addition, in certain circumstances, controllers or processors are required to appoint a data protection officer

Strict data breach notification rules

The GDPR requires businesses to notify, the NDPA of all data breaches without undue delay and where feasible within 72 hours unless the data breach is unlikely to result in a risk to the individuals. If the data controller cannot do this, it will have to justify the delay to the NDPA.

If the breach is unlikely to result in high risk to the individuals, the GDPR, requires businesses to inform data subjects "without undue delay”.

Binding Corporate Rules (BCRs)

BCRs are agreements used to lawfully transfer personal data out of the European Economic Area (EEA). The GDPR formally recognises BCRs. They will still require NDPA approval, but the approval process should become less onerous than the current system. BCRs are available to both controllers and processors. There are some new question marks about BCRs which have been raised in connection with standard provisions and the behaviour of governments/intelligence services in some states like the US.

The right to erasure

Individuals will have the right to request that businesses delete their personal data in certain circumstances (for example, the data is no longer necessary for the purpose for which it was collected or the data subject withdraws their consent). It remains unclear precisely how this will work in practice.

The right to object to profiling

 In certain circumstances, individuals will have the right to object to their personal data being processed (which includes profiling).

“Profiling" is defined broadly and includes most forms of online tracking and behavioural advertising, making it harder for businesses to use data for these activities. The fact of profiling must be disclosed to the data subject and a PIA is required. The European Data Protection Board is expected to provide further guidance on profiling.

The right to data portability

Data subjects have a new right to obtain a copy of their personal data from the data controller in a commonly used and machine readable format and have the right to transmit that data to another controller (for example, an online service provider). In exercising their right, the data subject can request the information be transmitted directly from one controller to another, where technically feasible.

Data subject access requests

Business must reply within one month from the date of receipt of the request (it is currently 40 days) and provide more information than was required under the Data Protection Directive.

If you are a Company and would like advice on the new regulations or any of our other services – speak to Roy Colaba in our Company and Commercial Department on 0121 698 2200 or fill in our online enquiry form.

Click here for Information sheet download

Lexcel Practice Management Standard Birmingham Law Firm of the Year for 2011 Resolution Collaborative Family Lawyer The Law Society Accredited in Family Law UK Legal 500 2016 Conveyancing Quality Scheme