What is GDPR?
The GDPR is Europe’s new framework for data protection laws, replacing the previous 1995 data protection regime, which current UK law is based upon and which starts on 25 May 2018, being enforced, as now, by the Information Commissioner’s Office (ICO). The Government has confirmed that the UK’s decision to leave the European Union will not alter the new GDPR data environment.
Our specialist team of GDPR lawyers can help you through the maze that is the GDPR and the new obligations, some of which are identified below.
Our highly experienced data protection lawyers advise on a broad range of complex data protection issues. Not only will our specialist lawyers who have been dealing with technology data law for over 25 years work with you to audit your data and your processing and safeguards (including anti-breach safeguards), we will support you in the event of data breach. (This is much less likely if we’ve carried out the data audit process).
The financial and reputational damage caused by a data breach can have devastating consequences to businesses and organisations as well as the impact of the new significantly higher fine levels. Meanwhile, the breach of an individual’s information rights can have a significant impact upon their personal and professional lives and lead to significant compensation claims. Dealing with a data breach of any nature can carry significant risks, whether you are an individual or a business. We will work closely with you to understand the issue and what you hope to achieve, advising you of an appropriate approach and the likely outcomes. In the event your organisation is investigated by the Information Commissioner’s Office, our team can draw upon significant specialist regulatory and criminal experience to support your organisation through the enforcement process. We have expertise in data protection litigation, both within the civil and criminal courts.
So what changes?
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA) and if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and you have a valid starting point to build from. However, GDPR brings with it some new elements and significant enhancements, so there will be a number of regulatory and procedural changes that you will have to put into your processes.
Awareness: You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR in May 2018 and that they appreciate the impact this is likely to have.
Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
If you cannot identify exactly who you got the information from, then you need to reverify the information before 25 May 2018.
Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation
Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
Subject access requests
These have significantly changed and you should update your procedures and plan how you will handle requests within the new timescales and provide any additional information. They’re also now free.
Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. If you cannot confirm the particular data subject’s consent or other lawful basis for processing, you will need to stop processing that data.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the new GDPR standard.
New GDPR rules apply and you should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29Working Party, and work out how and when to implement them in your organisation.
Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
Can YOU verify your data?
The GDPR requires you to maintain records of your processing activities and this is nothing different from the old data protection regime except that there are updated rights for a networked world.
Inaccurate records shared with 3rd parties
New is the obligation that if you have inaccurate personal data and have shared this with another organisation, you now have an obligation to tell the other organisation about the inaccuracy so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with. From 25th May 2018, you will need to document each and every time that you provide personal data to another party and will need to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place to meet these obligations.
Inaccurate records obtained from 3rd parties is no longer a defence
New is also the obligation to ensure that you hold accurate personal data and can identify where you got it from and the legal basis for processing. You won’t be able to do this unless you know what personal data you hold and where it came from. This means that if a data subject is called or calls you and you can’t identify the lawful basis on which you hold their data (i.e. their consent or contract) or how you came to get their data (i.e from a third party source that you must be able to share with the data subject) then you can expect to be investigated and possibly fined. The ICO has also stated that they intend to use delete data orders more often (forcing all personal data for which explicit consent is not demonstrable to be deleted). Many companies have spent the last 3 months obtaining new data consents from everyone on their mailing list.
Getting or holding Personal Data after 25th May 2018
From 25th May 2018, you will need to document each and every time that you obtain personal data from a data subject or a 3rd party and will need to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles.
When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data. The GDPR requires the information to be provided in concise, easy to understand and clear language.
New Individual Rights for Data Subjects
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
The GDPR includes updated rights for individuals:
1. the right to be informed;
2. the right of access;
3. the right to rectification;
4. the right to erasure;
5. the right to restrict processing;
6. the right to data portability;
7. the right to object; and
8. the right not to be subject to automated decision-making including profiling.
On the whole, the rights individuals will enjoy under the GDPR are similar to those under the DPA but with some significant enhancements.
Data Portability & Abolition of the Subject Access Charge
The right to data portability is new. It only applies:
a) to personal data an individual has provided to a controller;
b) where the processing is based on the individual’s consent or for the performance of a contract; and
c) when processing is carried out by automated means.
You should consider whether you need to revise your procedures and make any changes. You will need to provide the personal data in a structured commonly used and machine readable form and provide the information free of charge.