General Data Protection Regulation (GDPR)
The official EU General Data Protection Regulation website declares that the GDPR is ‘the most important change in data privacy regulation in 20 years.’
After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14th April 2016. It will directly enter into force in all Members States on 25th May 2018. From this date, any organisation not complying with the Regulation will face heavy fines. The government has confirmed that the UK’s decision to leave the EU will not affect the introduction of the GDPR in this country.
The GDPR replaces the 1995 Data Protection Directive 95/46/EC and is designed ‘to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.’
The biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR. It will apply to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. Of key importance, the GDPR provides greater safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. We also have two new concepts in data portability and a ‘right to be forgotten’. In terms of governance, the GDPR is following the existing German model with a mandatory appointment of a Data Protection Officer (or DPO) for those controllers and processors ‘whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.’
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. Much has, of course, changed since the original directive was adopted in 1995 and we are currently seeing a digital revolution.
The GDPR is a very comprehensive update and will apply in the UK from 25th May 2018. There are similarities to the existing UK Data Protection Act 1998 (DPA) but also many new requirements.
To help with the implementation of GDPR, the EU has formed an ‘Article 29 Working Party’ including representatives of the data protection authorities from each Member State. The ICO (Information Commissioner’s Office) is the UK’s representative. The ICO is committed to assisting businesses and public bodies in the UK to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond into the post-Brexit era.
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will work with government to stay at the centre of these conversations about the long term future of UK data protection law and to provide our advice and counsel where appropriate [ICO website].”
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are similar to those in the DPA (ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf). Put simply, it is very likely that any firm currently subject to the DPA will also now be subject to the new GDPR. The GDPR places specific legal obligations on processors (eg requirements to maintain records of personal data and processing activities) with significantly more legal liability if responsible for a breach.
The GDPR applies to processing carried out by organisations operating within the EU but it also applies to organisations outside the EU that offer goods or services to individuals in the EU. Controllers are not relieved of obligations if a processor is involved. The GDPR places an obligation on controllers to ensure that contracts with processors comply with the GDPR.
Please note, the GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and that carried out by individuals purely for personal/household activities.
WHAT INFORMATION IS COVERED BY THE GDPR?
Like the DPA, the GDPR applies to ‘personal data’ but the definition in the latter is far more detailed and now provides for a wide range of personal identifiers (eg IP address) to constitute personal data. This reflects changes in technology and the way organisations collect information about people.
For most organisations, the change to the definition should make little practical difference. If you hold information currently within the scope of the DPA, it will also fall within the purview of the GDPR.
The GDPR applies ‘to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria’. This could include chronologically ordered sets of manual records containing personal data. Personal data that has been key-coded can still fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Special categories of personal data
The GDPR refers to sensitive personal data as ‘special categories of personal data’. Broadly, the tone is the same as the existing DPA but there are some minor changes (eg the special categories specifically include genetic data and biometric data where processed to uniquely identify an individual).
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).
Under the GDPR, the main responsibilities for organisations are set out in the ‘data protection principles’. The principles are similar to those in the DPA but with more detail and a new accountability requirement. The latter requires firms to show how they comply with the principles.
Please note, Article 5 of the GDPR requires that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) further specifies that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
RIGHTS RELATED TO AUTOMATED DECISION MAKING AND PROFILING
In essence, the GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These are similar to the existing rights under the DPA.
Of note, individuals have the right not to be subject to a decision when:
- it is based on automated processing; and
- it produces a legal effect or a similarly significant effect on the individual.
Firms must ensure that individuals are able to:
- obtain human intervention;
- express their point of view; and
- obtain an explanation of the decision and challenge it.
However, this right does not apply if the decision:
- is necessary for entering into or performance of a contract between a firm and the individual;
- is authorised by law (eg for the purposes of fraud or tax evasion prevention); or
- based on explicit consent. (Article 9(2)).
- does not have a legal or similarly significant effect on someone.
GDPR AND PROFILING
The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual. In particular to analyse or predict their:
- performance at work;
- economic situation;
- personal preferences;
- location; or
When processing personal data for profiling purposes, firms must ensure that appropriate safeguards are in place:-
- Ensure processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the envisaged consequences.
- Use appropriate mathematical or statistical procedures for the profiling.
- Implement appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors.
- Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects.
Automated decisions taken for the purposes listed in Article 9(2) must not:
- concern a child; or
- be based on the processing of special categories of data unless:
- you have the explicit consent of the individual; or
- the processing is necessary for reasons of substantial public interest on the basis of EU / Member State law. This must be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard fundamental rights and the interests of the individual.
The Article 29 Working Party will publish guidelines on profiling later in 2017.
KEY AREAS FOR CONSIDERATION
Increased Territorial Scope (extra-territorial applicability)
Arguably, the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR. It will apply to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process ‘in context of an establishment’. GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or elsewhere.
The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, if the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.
For processing to be lawful under the GDPR, a firm needs to identify a lawful basis before you can process personal data. These are referred to as the ‘conditions for processing’ under the DPA. All must be documented.
This is more of an issue under the GDPR because any lawful basis for processing has an effect on individuals’ rights. For example, if relying on someone’s consent to process their data the individual will generally have stronger rights.
The GDPR allows Member States to introduce more specific provisions in relation to Article 6(1)(c) if
‘processing is necessary for compliance with a legal obligation’ and Article 6(1)(e) if ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’ These provisions are particularly relevant to public authorities and highly regulated sectors.
Consent under the GDPR must be ‘a freely given, specific, informed and unambiguous indication of the individual’s wishes’. Consent has to be verifiable. There must be a positive opt-in and consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions. In particular, public authorities and employers will need to take care to ensure that consent is freely given. Firms will also need to provide a simple means to withdraw consent. ‘It must be as easy to withdraw consent as it is to give it [EU GDPR website].’
Firms can rely on other lawful bases apart from consent – for example, where processing is necessary for the purposes of an organisation’s or a third party’s legitimate interests.
Firms are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. However, if relying on individuals’ consent to process their data, firms must make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn! If not, firms must alter their consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
The Article 29 Working Party will publish guidelines on consent later in 2017.
Children’s personal data
The GDPR contains new provisions intended to enhance the protection of children’s personal data.
Where services are offered directly to a child, firms must ensure that any privacy notice is written in a clear and plain way that a child will understand. If an ‘information society service’ (ie online service) is offered to children, firms may need to obtain consent from a parent or guardian to process the child’s data.
The GDPR states that if consent is the basis for processing the child’s personal data, a child under the age of 16 can’t give that consent themselves. Consent is required from a person holding ‘parental responsibility’.
‘Information society services’ includes most internet services provided at the user’s request. The GDPR emphasises that protection is particularly significant where children’s personal information is used for the purposes of marketing and creating online profiles. Parental or guardian consent is not required where the processing is related to preventative or counselling services offered directly to a child.
The ICO is working on the issue of children’s personal data and aims to publish a report later in 2017.
Data Protection Officer (DPO)
Controllers are currently required to notify their data processing activities with local DPAs. For multinationals, this can be a bureaucratic nightmare with most Member States having different notification requirements. Under GDPR it will not be necessary to submit notifications/registrations to each local DPA of data processing activities. Instead, there will be internal record keeping requirements and a DPO appointment will be mandatory for those controllers and processors ‘whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.’
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant DPA
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could results in a conflict of interest.
Job security is a perk of the DPO. The GDPR expressly prevents dismissal of the DPO and places no limitation on the length of tenure. A company with multiple subsidiaries can appoint a single DPO so long as he or she is ‘easily accessible from each establishment.’ The GDPR also allows DPO functions to be performed by either an employee of the controller or processor, or by a third party service provider. This will create opportunities for consulting and legal firms to offer DPO services!
Breach notification will become mandatory in all Member States under the GDPR where a data breach is likely to ‘result in a risk for the rights and freedoms of individuals’. This must take place within 72 hours of identification of the breach. Data processors are required to notify their customers (ie the controllers) ‘without undue delay’ after first becoming aware of a data breach.
Right to Access
The GDPR establishes the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Furthermore, the controller shall provide a copy of the personal data, free of charge, in an electronic format. ‘This change is a dramatic shift to data transparency and empowerment of data subjects [EU GDPR website].’
Data Erasure or ‘Right to be Forgotten’
As part of a strategy to expand individual control over the use of personal data, the GDPR introduces two new rights. Firstly, the regulation codifies a ‘right to be forgotten’ and, secondly, the right to data portability.
The ‘right to be forgotten’ entitles the data subject to have the data controller erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Article 17 outlines the conditions for erasure and include data no longer being relevant to original purposes for processing and a data subject withdrawing consent. Controllers must also be aware and check that there may be a “public interest in the availability of the data” when considering such requests.
Under Article 17, controllers must erase personal data “without undue delay” if the data is no longer needed, the data subject objects to the processing, or the processing was unlawful.
This is a response to the so-called “Big Data” trend. GDPR introduces a new right to data portability that seeks to increase access to online services.
Data portability is the right for a data subject to request a copy of the personal data they have previously provided in a ‘commonly used and machine readable format’ permitting them to transmit that data to another controller. The right to data portability applies only when processing was originally based on the user’s consent or on a contract. It does not apply to processing based on a public interest or the controller’s own interests.
Privacy by Design
Privacy by design calls for the inclusion of data protection from the onset of the designing of IT systems rather than as a later addition. Under GDPR: ‘The controller shall…..implement appropriate technical and organisational measures…..in an effective way…. in order to meet the requirements of this Regulation and protect the rights of data subjects’. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (ie data minimisation), as well as limiting the access to personal data to essential processing staff.
Organizations in breach of GDPR can be fined up to a maximum of 4% of annual global turnover or €20 Million (whichever is greater). There is a tiered approach to fines (eg a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment). It is very important to stress that these rules apply to both controllers and processors. This means that ‘clouds’ will not be exempt from GDPR enforcement!
ACCOUNTABILITY AND GOVERNANCE
The GDPR includes significant provisions that promote accountability and governance, and these complement the transparency requirements. Firms are expected to put into place comprehensive but proportionate governance measures. Good practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances. Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations.
Extract from EU GDPR website Q&A:
“In light of a uncertain ‘Brexit’ – I represent a data controller in the UK and want to know if I should still continue with GDPR planning and preparation?”
“If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms. Our expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard, together with the fact that the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market. (Ref: http://www.lexology.com/library/detail.aspx?g=07a6d19f-19ae-4648-9f69-44ea289726a0)”
Undoubtedly, the world has changed since 1995. It should come as no surprise to any student of European regulation that we are now facing a highly complex piece of legislation such has been the pace of technological development over the last two decades. It is obviously highly desirable to have a harmonised data protection regime for the EU although it is disappointing we cannot establish global standards. There are significant differences, for example, with the USA. Multi-nationals will face a clash of data regulations raising the possibility again of arbitrage. An ever more complicated rule book, leaving little unregulated, is the goal of EU legislators. On the downside, this ever expanding rule book must be regularly updated. It is also a potential minefield for both controllers and processors, and the prospect of big penalties may well discourage innovation if a stimulus to compliance. Despite a long lead in time there are still gaps in our understanding. The extensive breach notification procedures are still not 100% clear and phrases such as “likelihood of risk to rights and freedoms” will concern those seeking regulatory certainty for personal data and a totally compliant organisation. We must remember, however, that EU legislation is always a compromise with 28 countries each vying for dominance in drafting new regulation. Experience tells us that this is not a good recipe for effective regulation and the law of unintended consequences is always waiting in the wings.
There are a number of questions we must ask concerning the GDPR. Is it good regulation? Proportionate? Cost effective? Overall, the DPA has been in place for over twenty years and has proved adequate and ‘fit for purpose’. The GDPR is a highly prescriptive successor leaving no wriggle room. It adds a high degree of complexity for a questionable gain in overall consumer protection. Limehouse will always be a strong advocate for principles-based regulation and a far smaller rule book. In the data protection arena, we believe that a few well chosen principles could replace much regulatory text and provide adequate, and appropriate, consumer protection. Alas, the die is cast!
Risk Directors will welcome the introduction of DPOs. This is a concept adopted from Germany’s Federal Data Protection Act. Failure to comply with Germany’s compulsory DPO requirements can lead to significant fines. We also see value in such an appointment especially in light of the regulatory minefield posed by the GDPR and its penalty tariff.
Going forward, with the introduction of data portability and greater user control over data, there will be new challenges for controllers in implementing IT systems that are readily responsive to user requests concerning their data. There will be an urgent need for effective user interfaces. For compliance purposes, controllers must implement systems that minimize the collection of data whilst also ensuring accurate authentication to avoid abuse. This will be resource heavy. The DPO will, of course, oversee these systems.
The GDPR has anticipated a marketplace with bespoke associations operating across the various sectors. It firmly endorses the use of codes of conduct and certifications (eg seals and marks) to provide guidance on the GDPR’s numerous requirements. The GDPR is unique in stating that codes of conduct can be made binding and enforceable as opposed to voluntary and self-regulatory. If a draft code of conduct is drawn up by a private association it must be submitted to the appropriate supervisory authority to determine whether it provides ‘sufficient appropriate safeguards.’ If the draft code is applicable to several Member States, the supervisory authority must before approval submit a copy to the European Data Protection Board (EDPB) for their opinion before also being reviewed by the European Commission. Approved codes of conduct will be published in a register to be maintained by the EDPB. It all looks a bit of a bureaucratic nightmare but, hopefully, a common standard regarding data and data protection may eventually evolve and be adopted on both a pan-European and global basis. Limehouse can see controllers and processors operating outside the EU engaging in international personal data transfers by using certifications, seals or marks to demonstrate their GDPR compliance.
To conclude, GDPR will be seen by many in continental Europe as a great step forward in helping to combat the problems caused by ‘Big Data’ in our society. Big data is, of course, a term that describes the large volume of data that inundates a business on a day-to-day basis, much of it relating to the individual. The GDPR has been written with the best of intentions but experience tells us that good regulation is simple regulation. It must be proportionate and readily understood by both the players in the marketplace and the consumer. The GDPR will fail on all counts. A shed load of new rules is no real defence for the consumer in the short term unless the national supervisors are going to employ an army of monitors to check on compliance. It will be very interesting to see how GDPR can track and respond to new technological developments. Constant revision looks inevitable if EU regulators maintain their rule book approach. One thing is certain. DPOs will be kept very busy in the years ahead!
Roger Davies is Principal Consultant at Limehouse Consulting.
This publication contains general information only and is based on the experiences and research gathered by Limehouse Consulting and Strategy Limited (hereinafter “Limehouse”) practitioners. Limehouse, is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Limehouse, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication. Please see www.limehouseconsulting.com for a detailed description of the legal structure of Limehouse and the organization’s offerings.
Copyright © 2017 Limehouse Consulting and Strategy Limited