On May 25th next year the European Union’s (EU) new data protection framework, the General Data Protection Regulation (GDPR), will become law. Business and other commercial activities will have to follow strict rules concerning the processing of personal data – whatever the outcome of the Brexit negotiations.
It is probably the most significant piece of data protection legislation to date. It will have an impact on every organisation that holds or processes personal data, either in connection with goods/services offered to an EU resident or in monitoring the behaviour of persons within the EU. GDPR is designed to strengthen individuals’ privacy rights by providing tighter limits on the processing of one’s personal data, significantly expanding one’s control over personal data and providing improved transparency into the nature and purpose of processing activities and the use of that data.
As a business, you must show a commitment to providing products and services that can enable your customers to access their personal data in accordance with GDPR.
To demonstrate your GDPR-compliance efforts you may have to work with industry associations, consultants, data privacy experts and other key industry and government representatives to evaluate the forthcoming requirements that will affect your business whilst developing basic guidelines to enable your staff to deal with relevant key aspects of GDPR compliance.
The interpretations of the GDPR and related guidance, issued by authorities in the field, continues to evolve. The various views expressed on certain sections can vary between those authorities so we urge a cautionary approach. Consider taking advice from your legal, financial or insurance advisors and trade bodies.
General Data Protection Regulation: Key Requirements
The new regulations will alter the way that you handle, store and process Personal Data. The following key points should be considered.
Conditions for consent.
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes by which they signify agreement to the processing of their personal data. This consent must be provided by the individual through a statement or a clear affirmative action; consent cannot be inferred and must also be separate from other terms and conditions.
Controller-Processor Relationships
‘Controllers’ still bear the primary responsibility for compliance, although Processors also have direct compliance obligations under the GDPR. The term ‘Processor’ refers to any entity that processes personal data under the Controller’s instructions (e.g., many service providers are Processors).
Data Breach Reporting
In the event of a breach involving personal data, the Controller shall, where feasible, notify the relevant supervisory authority within 72 hours after becoming aware of it; and, if there is a likely high risk to the rights and freedoms of individuals, notify the affected data subjects without undue delay.
Data Inventory
Controllers and Processors must create centralised repositories containing records of processing activities carried out on personal data.
Data Protection Impact Assessments
Data protection impact assessments (DPIAs) (also known as privacy impact assessments or PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ rights and expectations with respect to the processing of their personal data.
Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, then prior to processing, an assessment of the impact of the envisaged processing operations on the protection of personal data must be carried out.
Data Protection Officer
Controllers and Processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or the large scale processing of special categories of data, must appoint a Data Protection Officer (DPO). The DPO is tasked with certain requirements and carries certain protections regarding their role with the organisation.
Data Subject Rights & Information
Controllers shall provide the information outlined in Articles 13 & 14 of the GDPR to data subjects, and data subjects may access, correct, delete, restrict processing of, and transfer, their personal data, as well as object to automated decision-making based on their personal data; however, there are certain exceptions to these rights.
Lawfulness of Processing
A legal basis for processing an individuals’ personal data must be established, such as consent, performance of a contract, legal obligation, protection of vital interests of an individual, tasks carried out in the public interest or exercise of official authority, or legitimate interest balanced against the fundamental rights of data subjects. An organisation needs to identify a lawful basis before it can process personal data and then subsequently document said process.
Security of Processing
Controllers and Processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate for the personal and/or sensitive personal data being processed (e.g., in collecting, storing or deleting such data).
General Data Protection Regulation introduces some additional, enforceable rights for individuals whilst strengthening those rights that currently exist under current data protection law.
Right to access
This right allows individuals to access their personal data so that they can be aware of and can verify the lawfulness of the processing. Businesses must provide a copy of the information (possibly for a reasonable/small charge).
The regulation introduces a new best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information.
Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. An organisation must provide the personal data in a structured, commonly used and machine-readable form (in open formats such as CSV files). Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.
You will need to develop a management system/protocol that can provide a record of customer requests for data and to verify that such requests were actioned within the appropriate time-frame.
Right to Erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. If an organisation has disclosed the personal data in question to third parties, it must inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
There are extra requirements when the request for erasure relates to children’s personal data, especially in online environments.
Right to be informed
The right to be informed encompasses an obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how personal data is used. Information should be provided within a reasonable period of having obtained the data (within one month). If the data is used to communicate with the individual, at the latest, when the first communication takes place; or if disclosure to another recipient is envisaged, at the latest, before the data are disclosed. It is the responsibility of the business to create their own fair processing notice.
Right to object
Individuals have the right to object to:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
- Direct marketing (including profiling)
- Processing for purposes of scientific/historical research and statistics.
Rights related to automated decision making and profiling
The right provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
Profiling is any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict performance at work, economic situation, health, personal preferences, reliability, behaviour, location, or movements. When processing personal data for profiling purposes, you must ensure that appropriate safeguards are in place.
Right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
If an organisation has disclosed the personal data to third parties, it must inform such third parties of any rectification, where possible. The organisation must also inform the individuals about the third-parties to whom the data has been disclosed, where appropriate.
Right to restrict processing
When processing is restricted, an organisation may be permitted to store the personal data, but not further process it. The organisation may retain just enough information about the individual to ensure that the restriction is respected in the future.
If an organisation has disclosed the personal data in question to third parties, it must inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
Steps to Begin Preparing Your Organisation
As organisations begin to prepare for the new regulation, it is important to understand the basic but necessary steps to ensure that data protection forms part of your organisation’s core workflows. The following might help in this respect.
- Educate your staff: Inform your staff of the changing law and the impact that a data breach may have under the new regulation through information sharing meetings, meet-ups, and reviewing the organisation’s risk register. Take special note with your IT team to ensure they are fully educated on the requirements, for instance, those regarding data portability, ‘right to be forgotten,’ and ‘right to erasure.’
- Conduct an information audit: Know where personal data is held, where it came from, and with whom it is shared. An information audit is a key part of the data compliance requirements and should be performed on a regular basis, not just part of this guide. It will also form part of the accountability principle, requiring organisations to show how they comply with the data protection principles.
- Review and update privacy information: Review your privacy notices and develop a strategy on how to gather and share personal data in accordance with the new regulation. This includes appropriate disclaimers or notices on websites, as well as contracts in place with customers and third-party organisations. The regulation also includes a need to explain the legal basis for processing the data, data retention period, and an individual’s right to notify the appropriate supervisory authority if there is a problem.
- Take individual rights into account: Understand how the new regulation addresses an individual’s right to be forgotten, and the need for an organisation to have procedures in place to adequately satisfy any such request.
- Be prepared to handle data requests: Update procedures to be able to handle data requests based on new and revised timescales, as well as be able to provide additional information as may be requested. Organisations may not charge for complying with a request and will have only one month to comply with the request.
- Establish a legal basis for processing personal and/or sensitive personal data: Analyse and review the reasons for processing any personal data, and document and confirm that there are solid legal grounds upon which to do so. The legal basis for processing personal data will need to be explained in the privacy notice and whenever a subject access request is processed, all of which needs to be documented to meet the accountability requirements. If your business processes personal data about children or which is age related, then you should implement systems to verify the individual’s age and to seek parental or guardian consent for any processing of a child’s personal data.
- Review consent mechanism: Review and update the mechanisms by which your organisation seeks, obtains, and records consent for processing personal data. Consent has to be a positive indication of agreement to personal data being processed, and it cannot be inferred from pre-ticked boxes, inactivity or silence. Consent also has to be verifiable.
- Implement procedures for handling data breaches: Build procedures that prepare your organisation to detect, respond to, inform on, and investigate data breaches. Develop a security incident notification/communication and response process for when a data breach occurs, and review and enhance the security incident response process as appropriate. Know the timelines for reporting data breaches affecting personal data, as violations are subject to penalties under law and fines.
- Incorporate data protection by design and privacy by default: Implement data protection by design and privacy by default into your processes and procedures, including in the development of any applications which are used to process personal data, such as appropriate built-in security controls and encryption. Data protection impact assessment/privacy impact assessment (DPIA/PIA) procedures will need to be implemented, whilst it does not need to be carried out in every instance, a DPIA/PIA is required in high-risk situations (e.g. where new technology processing personal data is being deployed).
The Scary Bit.
If you get it wrong, you could be fined up to 4% of your turnover (or 20M Euro if higher!).
The Solution. Adopt Best Practice: Make sure your IT systems are secure and your staff trained not to give away data by mistake. Insure against the risk of mishap, accident or criminal intervention. Make sure you only give your working partners and contractors the data they need and make sure they have both insurance and the systems in place to protect that data. If it is compromised it is probably still your responsibility. Make sure your Insurance includes support in the event of a data breach (electronic or otherwise) including forensic investigations, legal advice, notifying customers or regulators, and offering support to affected customers.
Author’s Note: This document is provided for information purposes only. It is intended to provide current, relevant and general, information on GDPR. The contents of this document are based on our opinion and current understanding of the law and will not be updated so changes to the law or interpretation thereof after November 1st 2018 are not considered. Updated articles may be available on bgi.uk.com from time to time. Nick Elwell.
For information on and assistance with Cyber-risk Management and Insurance please contact BGi.uk. Webinars on GDPR and Cyber Security are available at itgovernance.co.uk/webinars
Related resources and tools: Applied Systems Europe Ltd, Ireland Data Protection Commissioner (DPC, Official Journal of the European Union, Privacy Impact Assessment tool (UK-ICO), IT Governance.co.uk, The EU General Data Protection Regulation, The GDPR and You (Ireland-DPC, UK Information Commissioners Office (ICO)