The General Data Protection Regulations are due to come into force on 25 May 2018 and will reform data protection laws within the European Union. The UK will sign up, despite Brexit, and businesses need to start preparing now.
The obligations will apply to all data processors as well as controllers (currently only data controllers are in scope) and are significantly more comprehensive than current rules, introducing tough new privacy requirements in EU Member States.
Sanctions for non-compliance will be severe and include administrative fines of up to Eur.20 million or 4% of an organisation’s annual worldwide turnover.
We have summarised some of the key changes and set out steps your organisation can take to prepare for the changes, and will continue to keep you informed with analysis and updates.
Wider definition of ‘personal data’
Due to the fast pace of technological developments, the definition of ‘personal data’ under the GDPR is wider and now includes any data that can be used to identify an individual, including location data, genetic data and biometric data such as facial recognition and fingerprinting.
From an HR, personnel files and other information, point of view, the new definition could now include electronic data and searchable manual filing systems containing personal data that are not necessarily searchable by name but are searchable, for instance, chronologically or by other criteria (such as characteristics).
Consent and lawful processing
For consent to data processing to be valid, organisations will need to be transparent and notify individuals in clear and plain language the purposes for which their data is being collected before consent is given. Consent can be withdrawn at any time, on a purpose by purpose basis if the individual so wishes, and will not be taken to have reached the required level of validity if there is an imbalance of bargaining power.
We would suggest that the employment relationship represents such an imbalance and that employers who wish to play it safe, at least to begin with, should not rely on consent, but other grounds for lawful processing, such as performance of the employment contract or compliance with a legal obligation. Employers will need to have a good look at what they do with their data to make sure it is processed under one of these headings.
Where ‘sensitive’ personal data is involved (there is a broad definition of this, covering trade union membership to sexual orientation, health and biometric data), ‘explicit’ consent is required. It is currently not clear what this means, but we would advise that the form of consent at least specifically cover those special categories of personal data listed in the regulations.
Under the GDPR, consent must be freely given, specific, informed and unambiguous. Consent must be separate from other terms and must be a positive opt-in. Remaining silent on consent or providing a default pre-ticked box will not be sufficient to establish consent. Consent must also be verifiable, and therefore you will need to ensure there is a record of how and when consent was given.
Data processors and controllers will need to explicitly inform individuals about their rights when obtaining personal data, including those relating to subject access requests, rectification or erasure, data portability, and their right to withdraw consent.
They will also need to make it clear what legal basis processing is taking place on, how long the date will be retained, whether the data will be transferred overseas (and, if not within the EEA, whether or not to a ‘safe harbour’).
The notices must be set out in a manner which individuals will be able to read and understand.
Subject access requests
If an individual makes a subject access request, data processors will have one month to comply, rather than the current 40 days, and in most cases, will not be permitted to charge for this request.
Data must be ‘ported’ to the person making the request electronically, in a structured and commonly used, machine readable, format. This requirement for data portability leaves a question mark over the status of hand written notes that constitute personal data.
Data processors will therefore want to put suitable procedures in place to deal with such requests, provide training to staff, and ensure that data is stored in a suitable format.
Data Protection Officer requirement
Most public authorities and those that process certain data in a large scale, regular and systematic manner as part of their core activities, must appoint a Data Protection Officer (DPO) who will be required to oversee compliance with the GDPR. The DPO must have professional experience and expert knowledge of data protection laws and practices as they will be the first point of contact in respect of data protection matters.
The GDPR now requires all organisations to notify the Data Protection Authority (this will be the ICO) of certain types of personal data breaches within 72 hours of becoming aware of the breach. Such personal data breaches mean a breach of security leading to the destruction, loss, alteration, unaturorised disclosure of, or access to, personal data.
In addition, where the breach is likely to result in high risk to the rights and freedoms of the data subject, processors will also have to notify the individual affected in most cases.
Right to be forgotten
The GDPR gives data subjects the right to request erasure of their personal data without undue delay in certain circumstances including where the personal data is no longer necessary in relation for the purposes which it was originally collected or processed or where an individual has withdrawn consent.
There are several grounds giving processors the right to refuse to comply with a request for erasure, but these are all public interest in nature, and unlikely to apply in most cases.
Companies should ensure procedures are reviewed and amended to reflect the extended rights of individuals under the GDPR and relevant training is provided to staff.
To ensure your organisation is compliant with the standards required under the GDPR, it is important to audit your data processing activities, privacy notices and organisational structure to determine what gaps exist within your current state of compliance. You will then have time to put them right before May 2018.
Contact us to find out how we can help to ensure your organisation is prepared for the GDPR.