Less than 9 months to go until the new EU General Data Protection Regulation (GDPR) comes into force. What might the impact on industry be, and what can organisations do to prepare?
In recent months, I have received increasing enquiries about the GDPR. In July, two enquiries made me sit up and think more carefully, mainly because they emanated from 2 very different clients: one is a 6-person interior architect, and one is a a £15m-turnover construction subcontractor. It seems word about the GDPR is getting round - at last – and organisations are starting to listen up. There is lots of commentary out there from official and unofficial sources, and some are more useful - and accurate - than others. Here is the lowdown as I see it, including links to sources I have found helpful...
What is the General Data Protection Regulation?
GDPR is a new EU Regulation (EU Reg. 2016/79), which comes into effect in the 28 Member States of the EU on 5 May 2018. It is directly effective and therefore needs no enabling national legislation to have effect. It will replace the current UK Data Protection Act 1998, which has been in force since March 2000 and was enacted pursuant to the 1995 EU Data Protection Directive (EU Dir 95/46/EC), which will be abolished.
What is the purpose of GDPR?
The purpose of GDPR is to have a single data protection law to protect the data of EU citizens when it is collected and processed by third parties.
The GDPR will be applicable to every organisation which utilises the personal data of EU citizens.
What was the driving force for implementation?
The EU wants to achieve the following objectives:
1. give back control of personal data to citizens;
2. ensure transparency of data collection and processing
3. simplify enforcement through unification of Member States’ laws
Events showing an alarming rise of theft of personal data and cybercrime culminating in the Snowden affair showed the EU that it needed to modernise the legislation in line with technology. GDPR does this by expanding the definition of “personal data” to include individuals’ IP addresses and online identifiers.
What are an individual’s rights under GDPR?
The individual needs to give explicit consent to:
1. an organisation’s collection of his or her personal information,
2. the use of the data, and
3. the method in which that data is “controlled” and “processed”.
Right to erasure aka the “right to be forgotten”
An individual is entitled to request an organisation to delete or correct his or her data and the organisation must do so within one month. The organisation must inform any other third parties that are processing the individual’s data if it receives a “right to be forgotten” request.
Right to correction
Individuals can also request that their data be corrected and the organisation must do so with 30 days.
Individuals have a right to know and must be informed by the organisation if their data has been compromised or stolen.
Onward disclosure to third parties
Individuals have a right to know if an organisation has disclosed their data to a third party.
Are there any exemptions under GDPR?
The EU Commission has reduced the current list of exemptions. Therefore, if an organisation is active in one or more of these sectors, it will not be subject to the GDPR:
· National security
· Crime and taxation
· Health education and social work
· Regulatory activity (i.e. the protection of members of public charities or fair competition in business)
· Special purpose (i.e. journalism, artistic purposes, literary purposes).
· Research history and statistics
· Information made to the public under an enactment
· Confidential reference given by the data controller
· Judicial appointments and honours
· Crown employment and crown or ministerial appointments
The thirty-day rule for deletion or correction of data is too long particularly if it contains defamatory content.
Although the reduction in exemptions is welcomed, there remains the risk of abuse. For example, a defamatory online article, which contains an individual’s private personal details, can be justified on the basis of “public interest.” As such, even if the individual succeeds in obtaining an injunction (court order for performance) to remove the article -which could conceivably take at least a few days - by then the damage to the business and/or individual’s reputation has already occurred. By way of comparison, Google’s policy on removal of information, which is defamatory or invades privacy, is 28 days.
What is the impact of GDPR on SMEs and large enterprises and what does this mean for your business?
As they do now, organisations will need to maintain records to prove compliance with the GDPR. In particular, they must be able to show they have obtained an individual’s consent prior to collecting or processing his or her data. In addition, organisations must be able to show that the personal data they control is processed lawfully and openly and that the data is deleted once it has served its specific purpose for which it was collected.
Will this mean fewer “click to unsubscribe”?
The EU is hoping so, yes! Under the new rules, when you make an online purchase, you should not receive further marketing material, which you have not expressly signed up to receive, and later have to “unsubscribe” from.
What are the lawful justifications for the use of personal data under GDPR?
If an organisation wants to use the data of an EU citizen, it must comply with at least one the following 5 lawful purposes:
The subject’s consent has been obtained.
The data is being used to comply with a contractual or legal obligation.
The data being processed is imperative for the life of the subject.
The data being processed is in the public interest.
The data is being processed to prevent fraud.
The organisation cannot process data for marketing or arbitrary purposes nor may it alter the use of the data collected without the subject’s consent.
What is a Data Protection Officer (“DPO”)?
The GDPR says that a DPO should have “expert knowledge of data protection law and practice”. Ref: (https://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083). It is estimated that the GDPR will result in more than 28,000 new DPO jobs in Europe.
Do I have to hire a DPO?
Underlining is for emphasis
The starting point is that any organisation can hire a DPO. Large organizations (i.e. over 250 employees) and public authorities are required to hire a DPO. Any organisation which processes sensitive personal data on a large scale e.g. Biometric or genetic information, which can uniquely identify an individual, must have a DPO. If the business has subsidiaries, the subsidiaries can share one DPO across multiple organizations as long as they are affiliated. Even so, this may require them to change the structure of their organization, since the DPO must have access to the highest level of authority and unfettered independence.
SMEs will not be required to hire a DPO, unless they process sensitive data on a large scale. Notwithstanding, SMEs should ensure that they have the staff and skills to discharge the obligations on the collection, storage, retention and processing of data (and have a destruction policy).
What are a DPO’s responsibilities?
The key responsibilities are:
1. to inform and advise their organisation on the compliance and monitoring requirements for GDPR.
2. to be the main point of contact and liaison between their organization and the Supervisory Authority (i.e. regulator). In the UK, this is the Information Commissioner’s Office, ICO).
3. to maintain records of the personal data held and ensure that it is in an accessible format (e.g. CSV), so it can easily be ported to an individual upon request.
4. to request other organizations to delete copies of the personal data they hold on their behalf when receiving a right to be forgotten request.
5. to assist individuals who enquire about the use, deletion or correction of their personal data.
What if there is a breach of security and personal data is stolen or compromised?
Organizations must inform both the ICO and the individuals affected within 72 hours, and set out what remediation steps are being taken. Failure to do so could result in a fine up to 2% of annual worldwide revenue or £10 million (whichever is greater).
What about Brexit?
The UK government has confirmed the GDPR will not be affected by Brexit.
What are other countries doing?
The GDPR draw heavily on existing German law. Canada has had the Canadian Anti-Spam Law (CASL) since 1 July 2014, which has far-reaching effect similar to the GDPR. Other countries are monitoring and updating their legislation to keep pace with technology and the desire for privacy.
What are some top tips from experts to becoming GDPR compliant?
A good starting point to understanding the GDPR. I like the 12-point guide published by the UK ICO and I have used this as a checklist of steps to scope of a basis for work with clients.
Work out if you must hire a DPO, since this will show the way forward.
Liaise with suppliers as to how they will handle data deletion requests which you receive, and which have to pass down the chain. In multi-tiered projects, this is especially important.
Conduct a “privacy impact assessment” (mandatory under GDPR in certain cases). This will provide a clear picture of the location of all the data in your organization and map out the data flow.
Undertake a risk assessment to evaluate the likelihood of a security breach, because the timescale to rectify is very short, and the impact may be significant on a part-completed project.
Educate your employees on the dangers of data and security breaches and ensure they are not inadvertently causing the organisation to have data vulnerability e.g. by accessing or storing company information through a personal device. Ensure they know the corporate data security policy! (note to self: does my organisation have such a policy?...)
Consider implementing a “privacy by design” approach within the organisation (see separate article on this [LINK COMING SOON!]).
Consider obtaining ISO 27001 certification for the organisation (see my hot-off-the-press article for LexisPSL UK Industry Insight No. 19)
Use a trusted consultant to audit the organisation’s data protection policies and technology
Involve the IT team since they love to provide solutions to problems!
The penalty for not non-compliance with the GDPR is a fine of up to £20 million or 4% of annual turnover, whichever is larger. A failure to maintain required records is considered a Tier 1 Offence which carries a fine £10 million or 2% of turnover.
So in a nutshell, what is the industry’s view of GDPR?
Generally, the mood is positive. Data protection is a minefield and organisations need guidance and help. Penalties are hefty but understandably hard-hitting. The GDPR will force organisations to adopt clear policies and procedures to protect personal data and further protect the rights of EU citizens. However, UK businesses are woefully under-prepared. A recent YouGov survey (https://teiss.co.uk/information-security/uk-businesses-not-ready-gdpr/) shows that less than 1/3 of the 2000 businesses surveyed have started to prepare for the GDPR.
However, the enquiries I have recently received from clients of all shapes and sizes show that awareness is growing. Now is the time for organisations to start to critically appraise existing data storage and usage policies and systems, and make changes to ensure compliance for May 2018. Make the GDPR your next project!