Put simply, the General Data Protection Regulation (GDPR) is new legislation designed to ensure that personal data is protected under the law.
The GDPR is an EU Regulation that applies directly to the UK and came into force on 25 May 2018. Its full title is Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The provisions of the GDPR have also been incorporated into a new UK Data Protection Act 2018, leaving absolutely no doubt that even after the UK leaves the EU the obligations contained in the GDPR will continue to apply.
The GDPR represents as big a change to the law as the Health and Safety at Work Act, but many organisations are only just becoming aware of it.
For almost all UK organisations, the answer is “YES”. The GDPR applies to all organisations whose activities involve the processing of personal data. This may sound like it’s not relevant to what you do in your business, but read on and you’ll see that it almost certainly is…
Personal data is simply any information relating to an identified or identifiable person. An identifiable person is someone who can be identified, directly or indirectly, from the data held on them. This could include identification by reference to a name, an identification number, location data, an online identifier (such as an IP number) or to factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person. If you have employees, customers or suppliers it is highly likely that you hold or use some personal data.
Processing is defined in the GDPR as any operation which is performed on personal data, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. This covers pretty much everything you could possibly do with personal data. If you hold or use any personal data this is classed as ‘processing’ under the GDPR.
So, if you have any records relating to employees, customers or suppliers that could be used to identify an individual person, under the GDPR you are considered to be processing personal data and the GDPR applies to you.
The terminology used in the GDPR can seem confusing. If you hold or use personal data you are considered to ‘process’ personal data. Your role in data processing is either as a ‘controller’ or as a ‘processor’. But both controllers and processors ‘process’ personal data!
Your organisation acts as a controller of personal data if it is data that you hold and you determine what is done with it i.e. you determine how and why it is processed. Virtually all organisations will be controllers of some data sets, most obviously their employee records.
Your organisation acts as a processor of personal data if you handle personal data on behalf of a controller. Sticking with the example of employee records, if organisation X uses an accountancy firm to manage their payroll, the accountancy firm is the processor of that personal data (and organisation X is the controller, because they decide what is done with that data and the accountancy firm is doing it on their behalf).
Bear in mind that most organisations are likely to have controller responsibilities for personal data held for internal purposes, such as their employees’ records. If you are a processor, you must be able to distinguish between your ‘own’ data (for which you are the controller) and the data you process on behalf of a controller (for which you are the processor), so that you can determine what your data protection obligations are in each case.
Within the GDPR, there are six possible legal grounds for lawful data processing; consent is one of these grounds. However, consent is only an appropriate justification where you can explicitly offer people real choice and control over how you use their data.
The GDPR sets a much higher standard for consent than was the case under the Data Protection Act 1998 which has now been repealed and replaced with the Data Protection Act 2018.
If you have to rely on consent as the grounds for processing a particular data set you need to make sure that:
- The indication of consent is unambiguous and involves a clear affirmative action. It must be freely given, which may cause difficulties where there is an imbalance in the relationship, such as where personal data is being supplied to an employer or a public authority;
- Consent is separate from other terms and conditions. It must not be a precondition of signing up to a service unless necessary for that service;
- You do not use pre-ticked opt-in boxes. These are specifically banned by the GDPR;
- You keep clear records to demonstrate consent; and
- You tell people who have given consent about their right to withdraw consent, and provide an easy way for those people to withdraw consent at any time. The GDPR states that it must be as easy to withdraw as it was to give consent.
If your existing consent mechanisms do not meet the above standards, you will need to obtain fresh consent now that the GDPR has come into force.
Additional consent obligations apply if you offer online services directly to children under the age of 13. If you provide such services you will need to make reasonable efforts to verify that consent has been given or authorised by a holder of parental responsibility for the child.
Remember that consent is only one of the lawful grounds for processing. If you are having difficulty fitting the above requirements into your consent mechanisms, you should consider using one of the alternative grounds, namely that the processing of personal data is necessary:
- for the performance of a contract;
- for compliance with a legal obligation;
- to protect the vital interests of a person;
- for the performance of a task carried out in the public interest or in the exercise of official authority; or
- for the purposes of the legitimate interests pursued by the data controller or by a third party.
If you do use a ground other than consent to justify the processing of personal data, the Information Commissioner’s Office has made it clear that you should not seek consent as well, as this would be regarded as misleading and inherently unfair.
That depends on the size of your organisation and the nature of the personal data you process.
Any organisation with 250 or more employees must maintain a written record of personal data processing activities for which it acts as a controller or a processor.
The records kept by a controller must contain:
- the name and contact details of the organisation and, where applicable, the Data Protection Officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- where applicable, the categories of any recipients to whom the personal data have been or will be transferred;
- where applicable, details of transfers of personal data outside the EU and their safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data; and
- where possible, a general description of the security measures in place to protect the personal data.
There are similar requirements for processors, whose records must contain:
- the name and contact details of the organisation and, where applicable, the Data Protection Officer;
- the name and contact details of the controller on behalf of whom the organisation is processing the personal data;
- the categories of processing carried out on behalf of each controller;
- where applicable, details of transfers of personal data outside the EU and their safeguards; and
- where possible, a general description of the security measures in place to protect the personal data.
Any organisation with under 250 employees should be aware that the record keeping requirements outlined above also apply to them IF the processing:
- is likely to result in a risk to the rights and freedoms of data subjects (this is defined in Recital 75 of the GDPR as processing which may give rise to any significant economic or social disadvantage, e.g. discrimination, identity theft or damage to the reputation; where data subjects might be deprived of their rights, where personal aspects are evaluated, e.g. performance at work, reliability or behaviour, location or movements, in order to create personal profiles; where personal data of vulnerable people, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects);
- is not occasional (the ICO has provided guidance that this refers to processing activities that are more than just a one-off occurrence or something done rarely);
- includes special categories of data (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation); or
- includes personal data relating to criminal convictions and offences.
These exceptions, in particular the “occasional” processing exclusion, create an extremely low threshold for an organisation with under 250 employees to reach. In practice, therefore, all organisations, regardless of the number of employees, should comply with the new record keeping obligations in the GDPR.
The following types of organisation need to designate a Data Protection Officer (DPO):
- public authorities;
- organisations whose core activities consist of processing operations that involve the regular and systematic monitoring of individuals on a large scale; and
- organisations whose core activities include processing of special categories of personal data on a large scale.
If your organisation falls into any of these three categories, it is mandatory for you to have a DPO.
It is clear whether an organisation is a public authority or not, but it can be far less clear whether an organisation falls into either of the other categories. To assist, the official EU provider of guidelines for the GDPR, the Article 29 Data Protection Working Party, has produced some guidance:
Core activities are the key operations of an organisation. Where processing personal data is a vital enabler to an organisation’s core activities then processing personal data should also be considered a core activity. For example, the core activity of a hospital is to provide health care. However, to provide healthcare safely and effectively a hospital must process health data, such as patients’ health records. Therefore, processing these data would also be considered one of any hospital’s core activities.
The following factors can be taken into account when determining whether the processing is carried out on a large scale:
- the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
- the volume of data and/or the range of different data items being processed;
- the duration, or permanence, of the data processing activity; and
- the geographical extent of the processing activity.
The guidance gives the example that processing of patient data in the regular course of business by a hospital will be large scale processing, although processing of patient data by an individual physician will not.
The following are examples of activities that may constitute a regular and systematic monitoring of data subjects:
- operating a telecommunications network;
- providing telecommunications services;
- email retargeting;
- data-driven marketing activities;
- profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering);
- location tracking, for example, by mobile apps;
- loyalty programmes;
- behavioural advertising;
- monitoring of wellness, fitness and health data via wearable devices;
- closed circuit television; and
- connected devices e.g. smart meters, smart cars, home automation, etc.
Special categories of personal data are defined in the GDPR as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The Article 29 Data Protection Working Party recommends that unless it is unambiguous that your organisation does not require a DPO, you should conduct an internal analysis to determine whether or not a DPO is required and document your conclusion to show that the relevant factors have been properly taken account of.
The GDPR is not prescriptive in specifying the qualifications necessary for a DPO, merely stating that the DPO must have professional qualities, expert knowledge of data protection law and practices and the ability to fulfil the specified DPO tasks.
Guidance issued by the EU’s Article 29 Data Protection Working Party states that the level of expertise required should correspond to the sensitivity, complexity and amount of data an organisation processes.
A DPO can be an employee, or appointed on the basis of a service contract, but should not be anyone whose other tasks could give rise to a conflict of interest for the DPO. The official guidance makes clear that anybody with a senior management position (e.g. CEO, COO, CFO, Chief Medical Officers, Head of Marketing, HR or IT) will not be eligible for DPO positions within their own organisation. The same would be true for people having lower roles within the organisation if their roles lead to the determination of purposes and means of processing.
Tasks of the DPO
The DPO must:
- report directly to the highest management level within the organisation;
- be contactable by data subjects with regard to all issues related to processing of their personal data and to the exercise of their rights;
- be bound by secrecy or confidentiality concerning the performance of his or her tasks, including in relation to communications with employees;
- inform and advise the organisation and its employees in relation to the protection of personal data;
- monitor the organisation’s compliance in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- provide advice, where requested, in relation to data protection impact assessments;
- cooperate and act as a contact point with the Information Commissioner’s Office.
The organisation also has the following obligations that need to be fulfilled in relation to the DPO role:
- ensuring that the DPO is sufficiently involved in all issues which relate to the protection of personal data;
- providing the necessary resources to enable the DPO to carry out their functions and maintain their expert knowledge;
- not issuing any instructions about the exercise of the specified DPO tasks.
The GDPR requires that the Information Commissioner’s Office be consulted by a Controller where a data processing operation results in a high risk to the rights and freedoms of natural persons.
This means that you must first identify any data processing operations that you carry out that are likely to result in high risk. If you identify any operations that are likely to result in a high risk, you must then conduct a data protection impact assessment, to establish if they are indeed high risk. If any operations are found to be high risk, the ICO must be consulted.
What is “high risk” processing?
The GDPR states that processing that is likely to result in a high risk to the rights and freedoms of data subjects includes:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data (e.g. ethnic origin, sexual orientation, religious beliefs, etc.) or of personal data relating to criminal convictions and offences; or
- a systematic monitoring of a publicly accessible area on a large scale.
Offering a little more detail, the body that issues GDPR guidance on behalf of the EU, the Article 29 Working Party, considers the criteria below to be relevant to whether processing is likely to result in a high risk:
- evaluation or scoring, including profiling and predicting, especially concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements (e.g. a bank that screens its customers against a credit reference database);
- automated-decision making with legal or similar significant effect i.e. processing that aims at taking decisions on data subjects producing legal effects concerning the natural person;
- systematic monitoring i.e. processing used to observe, monitor or control data subjects, including data collected through a systematic monitoring of a publicly accessible area;
- special categories of data as well as personal data relating to criminal convictions or offences (e.g. a hospital keeping patients’ medical records or a private investigator keeping offenders’ details);
- data processed on a large scale (the GDPR does not define what constitutes large-scale, but the following factors should be considered when determining whether the processing is carried out on a large scale: the number of data subjects concerned, either as a specific number or as a proportion of the relevant population; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; and the geographical extent of the processing activity);
- datasets that have been matched or combined, for example originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject;
- data concerning vulnerable data subjects, because of the increased power imbalance between the data subject and the data controller, meaning the individual may be unable to consent to, or oppose, the processing of his or her data (e.g. employees would often meet serious difficulties in opposing the processing performed by their employer, when it is linked to human resources management. Similarly, children can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data);
- innovative use or applying technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control, etc., because the use of such technology can involve novel forms of data collection and usage, possibly with a high risk to individuals’ rights and freedoms;
- data transfer across borders outside the EU; and
- when the processing in itself prevents data subjects from exercising a right or using a service or a contract, including processing performed in a public area that people passing by cannot avoid, or processing that aims at allowing, modifying or refusing data subjects’ access to a service or entry into a contract (e.g. where a bank screens its customers against a credit reference database in order to decide whether to offer them a loan)
The more of these criteria that are met by the processing, the more likely it is to be high risk. As a rule of thumb, a processing operation meeting only one of these criteria is not generally considered to be high risk.
If you identify any data processing operations that are likely to be high risk, a data protection impact assessment is required.
What is a data protection impact assessment?
A data protection impact assessment is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to data subjects by assessing them and determining the measures to address them.
The GDPR states that, as a minimum, the assessment must contain:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
After completing the data protection impact assessment you should be able to determine whether processing that was likely to result in a high risk to the rights and freedoms of data subjects actually does result in a high risk to data subjects.
The Information Commissioner’s Office must be consulted before high risk processing is commenced, but only in cases where the residual risks remain high despite any measures taken to mitigate the risks.
Even in cases where a data protection impact assessment is not required, the Article 29 Working Party recommends carrying out the assessment as it is a useful tool to help controllers demonstrate compliance with the GDPR.
The GDPR contains new accountability provisions that oblige controllers of personal data to implement data protection by design and by default.
Data protection by design requires that data protection is embedded into the design specifications of new systems and technologies. A controller must “implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing”. In practice, this provision will impact a number of areas within an organisation, such as IT and HR, where those responsible for design and development must take data protection into account for the entire lifecycle of the system or process they are developing.
Data protection by default requires a controller to actively implement measures to prevent excessive personal data from being processed. A controller must “implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”. The practical implications for organisations are significant. For example, measures will need to be in place to prevent employees from accessing personal data that is not relevant to their role, and to ensure that the strictest privacy settings apply automatically where a customer acquires a new product or service.
The GDPR does not provide any practical guidance on the technical or organisational measures that organisations could take to comply with the requirement of data protection by design and by default. It does make the suggestion that a controller could become certified to an approved certification mechanism in order to demonstrate compliance. However, no such certification mechanism has yet been approved by the European Data Protection Board.
In the absence of regulatory guidance, the following practical measures will help achieve compliance:
- creating a process that can be used each time a new system is designed or procured to ensure that data protection by design and default are fully considered;
- reviewing the drafting of data collection forms (both paper- and web-based) to ensure that excessive data is not collected;
- implementing automated deletion processes for particular personal data or measures to ensure that personal data is flagged for deletion after a particular period; and
- pseudonymising data where possible.
A data breach is defined in the GDPR as any “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
Organisations will need to have robust systems in place to both prevent personal data breaches from occurring and to minimise the damage if a breach occurs.
To prevent a breach occurring, Article 32 of the GDPR requires an organisation to implement appropriate technical and organisational measures to ensure a level of security for the processing of personal data that is appropriate to the risk to the rights and freedoms of data subjects that the processing poses.
Organisations will be required to implement measures to prevent personal data breaches across the spectrum, from accidental and negligent breaches at the lower end of the scale, through to deliberate and malevolent actions at the higher. In determining what measures to implement, organisations will be expected to consider human factors and the physical environment as well as the cyber and technology environments.
What amounts to ‘appropriate’ security measures will depend on the circumstances. In instances of small scale processing of non-sensitive data, basic information security measures will suffice, such as ensuring mobile devices are password protected, ensuring employees are working under a duty of confidentiality, and so on. Where there is large scale processing of highly sensitive personal data, a much tighter and more sophisticated level of state-of the-art security will be required.
If a Breach Occurs…
In order to be able to respond effectively if a personal data breach occurs, both controllers and processors should develop a Data Breach Procedure that has the formal approval of top management. The procedure should take into account the provisions of the GDPR summarised below.
If a personal data breach occurs, the controller of the data must:
- document the facts relating to the personal data breach, its effects and the remedial action taken;
- where the personal data breach is likely to result in some risk to the rights and freedoms of natural persons, notify the Information Commissioner’s Office of the personal data breach within 72 hours of becoming aware of it. This notification must:
- describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the Data Protection Officer or other contact point where more details can be obtained;
- describe the likely consequences of the personal data breach; and
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects, and
- where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data subjects must be informed without undue delay unless:
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; or
- it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
The obligations on the processor of personal data in the event of a breach are more straightforward; they must simply notify the data controller about the breach without undue delay.
The GDPR has not drastically changed the rules in relation to the transfer of personal data for processing outside the EEA; the basic principle is still that such transfers are prohibited, with permissible exceptions. The most significant change is the introduction of the “Binding Corporate Rules” exception.
Under the GDPR transfers outside the EEA are allowed in the following circumstances:
- Where the Commission as decided that the country concerned provides an adequate level of protection. Currently, the only countries this applies to are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. Companies in the United States who are signed up to Privacy Shield are also regarded as adequate. You can check whether a US company has signed up to Privacy Shield by visiting www.privacyshield.gov.
- Where “standard data protection clauses” (also known as “model clauses”) are in place with the recipient of the personal data. These are template contracts that are approved by the EU Commission. There are currently three model contracts, two governing transfers of personal data between controllers and the other governing transfers of data between a controller and a processor. More details are available on the Commission’s website.
- Where Binding Corporate Rules (BCR) allow the transfer of personal data within multinational corporate groups. This is a new concept in the GDPR, and allows global companies to move personal data much more freely and flexibly within their group structure, provided that their BCR are approved by the Information Commissioner’s Office.
- Where none of the above options apply, you can seek to rely on one of the six derogations available. These are:
- Consent – the data subject has explicitly consented to the transfer after being informed of the possible risks of the transfer due to the lack of an adequacy decision and appropriate safeguards.
- Contractual performance – in the case of a contract between the exporter of the personal data and the data subject, the transfer can be carried out where it is necessary for the performance of the contract or any pre-contractual measures taken at the request of the data subject. In the case of a contract between the exporter and someone other than the data subject, the contract must be entered into either at the data subject’s request or in their interest, and again the transfer must be necessary for the performance of the contract.
- Substantial public interest –the transfer must be necessary for important reasons of public interest, such as crime prevention or national security.
- Legal claims – the transfer of personal data will be allowed where it is necessary for the establishment, exercise or defence of legal claims.
- Vital interests – this derogation allows the transfer of personal data in matters of life or death, for example where a data subject’s medical records are transferred following a serious illness or accident abroad.
- Public registers – this final derogation allows personal data that is available on public registers, e.g. company directors, to be transferred outside the EEA.
- Finally, and as a last resort, transfers outside the EEA are allowed where they are not repetitive, concern only a limited number of data subjects, are necessary for the purposes of compelling legitimate interests pursued by the transferor (and those compelling legitimate interests are not overridden by the interests or rights and freedoms of the data subject), and the transferor has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. On top of that, the transferor must also notify the ICO and the data subject of the transfer.