The European General Data Protection Regulation (GDPR) will come into force across the European Union on 25 May 2018. It aims to standardise and strengthen the right of European citizens to data privacy by emphasising transparency, security and accountability by data controllers.
Whilst many of the themes, high level requirements and language of the GDPR are not vastly different from existing data protection legislation, the GDPR imposes new obligations and stricter requirements on in-scope organisations. The GDPR also includes provisions to impose administrative fines of up to
£18 million or up to 4 per cent of global turnover (whichever is higher) for certain infringements. If an organisation processes the personal data of people in the EU, or is a data controller or processor established in the EU, the GDPR will apply. GDPR will be enacted in the United Kingdom through the Data Protection Bill, which is currently going through Parliament. The UK Government has confirmed that the introduction of GDPR will not be affected by the UK’s impending departure from the EU.
The GDPR expands the classification of ‘personal data’ to data from which a living individual can be identified. The obvious examples of this are a name, or an identification number. The GDPR also covers less obvious examples of personal data through which one could reasonably identify an individual, such as an IP address, location data, mobile device identifier or factors specific to the physical, cultural or social identity of that person.
Article 9 describes the circumstances under which the processing of “special categories of data”, (also known as “sensitive personal data”) may take place. The categories of data which are considered “sensitive” have been expanded from previous legislation – they now include genetic and biometric data as well as information such as health, ethnic origin, sexual orientation and political or religious beliefs.
Data controllers and data processors
A data controller is a person or entity that determines the means and purposes of the processing that will occur on personal data it holds. A data processor performs the processing on behalf of the data controller – for example, an organisation (the data controller) may utilise the services of a marketing company or a payroll firm to perform work on the data controller’s behalf. Data processors may be subject to fines or other sanctions if they don’t comply with the GDPR requirements.
Data controllers are liable for their own compliance with the GDPR. If a data controller utilises a data processor, a binding written contract (or other legal provision) must be in place that governs that processing. Similarly, if a data processor employs another sub-processor they too are required to have a written contract. Any contracts that are active when the GDPR comes into effect must meet the new GDPR requirements.
The GDPR sets out minimum requirements for what must be included in a contract. These requirements include clauses stipulating the type of personal data that is to be processed as well as the nature and purpose of that processing. The contracts must also govern the management of the personal data by the data processor, including their taking appropriate measures to secure the data and assisting the data controller in meeting the rights of data subjects as laid out by the GDPR. If a data processor fails to meet its obligations, or acts outside of the instructions of the data controller, then it may be liable for damages in legal proceedings and/or subject to fines under the GDPR.
The UK Information Commissioner’s Office recently published draft guidance for consultation on contractual requirements (available at its website: ico.org.uk). We are currently awaiting the outcome of this consultation, which closed in October 2017.
Further requirements are introduced if personal data is being transferred outside of the European Economic Area to a “third-country”. Organisations based in EU member states that transfer personal data to third countries will need to ensure that the country in question provides an adequate level of data protection. Some third countries have been approved for this purpose by the EU Commission. If the third country has not been approved, data controllers must rely upon one of nine alternative measures, most likely an arrangement which has been approved in advance by the member state’s Information Commissioner. Model contracts have been prepared for this purpose by the EU Commission and are available to download from their website. Following the UK’s exit from the European Union, it will likely itself become a ‘third country’ from an EU perspective – we would expect that recognition of the adequacy of the UK’s data protection regime should be an area of focus during the UK’s detailed exit negotiations.
Lawfulness of processing
Article 6 sets out the six types of “lawful basis” that apply for the processing of personal data, including the fulfilment of contractual or legal obligations.
If an organisation relies on consent from an individual for the processing of their data, then higher standards for that consent will apply. The language used in requesting consent must be specific, clear and unambiguous. Recital 32 states that consent must be given by “a clear affirmative act” for each processing purpose and that a pre-ticked box on a website, for example, does not constitute consent. Furthermore, individuals have the right to withdraw this consent at any time, and appropriate mechanisms must be provided to allow them to do so. Additional restrictions apply to children consenting to the use of their personal data.
The use of “legitimate interest” may be a lawful basis for processing personal data. The GDPR Recitals cite examples of processing that could be in the legitimate interest of the Data Controller. Recital 47 states that “Such legitimate interest could exist…where there is a relevant and appropriate relationship between the data subject and the controller…such as where the data subject is a client or in the service of the controller”. Recital 47 to 50 further cite direct marketing, transmitting personal data between a group of undertakings for administrative reasons, ensuring network security and reporting potential criminal acts as potential processing activities that could use this lawful basis. However, careful consideration is required before relying on legitimate interests as a grounds for processing. Recital 47 cautions that data controllers should consider the expectations of data subjects in assessing a legitimate interest, including if the data subject can “reasonably expect” their data to be processed for that purpose.
Enhanced individual rights
Articles 12–23 of the GDPR cover the enhanced rights of individuals under the GDPR. Among these rights, the GDPR obliges organisations to provide ‘fair processing information’, typically through a privacy notice at the point of data capture. Other rights include the right to obtain access to their personal data, to have their data rectified if it is inaccurate or incomplete, to object to their data being processed and to have their data securely moved or copied from one IT environment to another. While individual rights granted by the GDPR are similar to those under existing data protection legislation, existing organisational processes should be revisited to ensure compliance with enhancements e.g. being able to provide personal data in a structured, commonly used and machine-readable form. Should an organisation suffer a data breach, new obligations apply around how and when that breach should be reported.
“The language used in requesting consent must be specific, clear and unambiguous. Recital 32 states that consent must be given by ‘a clear affirmative act’ for each processing purpose and that a pre-ticked box on a website, for example, does not constitute consent.”
Accountability and privacy by design
Article 5 of the GDPR places the onus on organisations to demonstrate their compliance with the GDPR under the principle of “accountability”. This may require organisational changes to their approach to data protection compliance. Organisations will be required to evidence that the Personal Data that they acquire is done so in a lawful, transparent manner. Furthermore, they must ensure that they can demonstrate that only the minimal amount of data that is required is captured, that the data is securely managed and that it is retained for no longer than is demonstrably necessary for the purposes of processing. Article 25 of the GDPR covers the concept of “data protection by design”, requiring that “appropriate technical and organisational measures” are implemented from the outset of data processing activities. Article 35 includes a requirement that organisations conduct Data Protection Impact Assessments (DPIAs) where the processing is “likely to result in a high risk to the rights and freedoms of natural persons”. The Article 29 Working Party (an official advisory body consisting of representatives from the data protection authorities of each EU Member state) has provided guidance on how and when DPIAs should be conducted. While the requirement for DPIAs applies to processing operations initiated after the GPDR becomes applicable on 25 May 2018, the Article 29 Working Party “strongly recommends” that DPIAs should be carried out for processing that is already underway.
What should my organisation do now?
The above highlights some of the areas where the GDPR imposes higher standards for data protection. It is an organisation’s responsibility to demonstrate how they are compliant with the GDPR principles.
A key initial step is to understand what personal data your organisation processes. This should be documented, showing how personal data is captured, where it is stored and under what lawful basis (as defined by the GDPR) the data is processed. This document should also capture any Personal Data that is transferred to third-party processors.
Among the subsequent steps to take, an organisation should validate that they have;
- defined organisational policies and procedures covering how data is captured, processed, managed and disposed of;
- defined processes to fulfil Data Subject Right obligations;
- implemented GDPR-compliant contractual arrangements with third-party processors;
- confirmed if they are required to appoint a dedicated Data Protection Officer per Article 37 of the GDPR;
- identified cross-border transfers outside of the EEA, and implemented suitable contractual clauses; and
- implemented appropriate monitoring and controls to evidence their GDPR compliance.
In parallel to the above activities, it is crucial that your organisational culture supports your GDPR obligations. Training and awareness activities should be conducted so that everybody in your organisation is aware of your organisational policies and requirements for compliance. Furthermore, support is required from the highest levels of your organisation to ensure that compliance forms a key part of your management activities.
The UK Information Commissioner’s Office, (ico.org.uk) provides a GDPR readiness assessment checklist which can help you to identify the areas of GDPR compliance in which you are lacking, alongside other useful GDPR reference materials.
KPMG offers a full range of services which can be customised to suit your specific needs at any stage on your journey to GDPR readiness.