New General Data Protection Regulation
Wednesday 8th June 2016
In the first of a two part article, Jessica Cumming, a corporate solicitor at Gordons, looks at the proposed wide-ranging changes to data protection legislation. Once the proposals are finalised, the second article will look at the steps organisations can make to ensure they are ahead of the game.
The General Data Protection Regulation (GDPR) was finally approved by the European Union, the EU Council and Parliament on 14 April 2016 and is expected to come into force in 2018. The GDPR will replace all data protection legislation in EU member states, including the Data Protection Act 1998 (DPA 1998). The new framework aims to put individuals in control of their personal data, and will require organisations that process data to put a much stricter focus on data protection.
Headline changes to be aware of include:
The data protection principles
The principles as set out within the DPA 1998 will remain but have been consolidated into 6 rather than 8 principles.
Definition of personal data
The definition will encompass additional factors by which an individual may be identified, including their genetic, physical, physiological, mental, economic, cultural or social identity.
The reach extends beyond the EU
Data controllers and processors outside the EU will be subject to the GDPR if they process personal data in order to offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU. Many of these organisations will be required to appoint an EU representative under GDPR.
Fines: errors will be expensive
Data controllers or processors that fail to comply with GDPR face fines of up to 4% of annual worldwide turnover or €20m (for serious breaches). Errors deemed less serious could attract a fine of up to 2% annual worldwide turnover or €10m.
In the case of corporate groups, the percentage applies to consolidated revenue. The penalties could easily therefore run to amounts that surpass the current penalty of £500k that can be issued by the Information Commissioner’s Office (ICO). These fines will be in addition to a data subject’s right to claim civil damages.
As with the DPA 1998, GDPR will require data controllers to have a legitimate reason for processing personal data. If they rely on the consent of the data subject, they must be able to demonstrate that it was freely given and unambiguous by a written or oral statement. Silence, inactivity or pre-ticked boxes will no longer constitute consent. A data subject’s consent to processing of their personal data must be freely given, unambiguous and communicated by a statement of ‘clear affirmative action’.
Where personal data of a child under 16 is being processed to provide ‘information society services’ (e.g. social networking sites, online business etc), consent must be obtained from the holder of parental responsibility for the child. Member states may lower this threshold provided such lower age is not below 13 years.
Data subject’s rights
GDPR expands the data subject’s rights. This includes a data subject’s right to request rectification of inaccurate data and that data is processed for restricted purposes. Data subjects may also request a copy of personal data in a format usable by them (e.g. electronic format) and request the transfer of data from one controller to another. GDPR introduces a new right for data subjects known as ‘the right to be forgotten.’ In certain circumstances, data subjects can request that their personal data is erased and no longer processed.
Data controllers must be able to demonstrate compliance with GDPR by implementing technical and organisational measures. This can include data protection policies (where proportionate), along with adherence to codes of conduct, certification mechanisms and data protection seals and marks produced to demonstrate compliance with the GDPR.
Data protection by design and impact assessments
Data controllers should include data protection controls at the design stage of products, projects or services involving the processing of personal data. Before carrying out data processing that is expected to result in high risks to the privacy of data subjects, data controllers must carry out a data protection impact assessment. Member states data protection regulators will provide further detail of what sort of processing would warrant such an assessment and guidance on the process to be used.
The current system of registration/notification will be replaced with a requirement for the data controller to maintain a record of processing activities under its responsibility including details such as the purpose of processing personal data, description of categories of data subjects and personal data, transfer to third countries, time frames for erasure and descriptions of the technical and organisational measures in place. Such records should be made available to the relevant member state supervisory authority upon request.
Data breach notification
Data controllers must notify the ICO when they become aware that a personal data breach has occurred without undue delay and, where feasible, within 72 hours of awareness (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals). An explanation will be required when this timescale cannot be met. If the breach is likely to result in a high risk to the rights and freedoms of data subjects, the data subjects must also be notified without undue delay.
Data processors will have direct obligations
Currently, legal responsibility for compliance with the DPA 1998 falls directly on the data controller and not the data processor. GDPR places direct obligations on data processors such as the requirement to implement technical and organisational measures, notify the data controller of data breaches, deletion/return of personal data at the end of provision of services and where appropriate, appointment of a data protection officer.
Data protection officers (DPOs)
GDPR details circumstances where data controllers and processors must appoint a data protection officer. This includes where processing is carried out by a public authority, the core activities of the controller and processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large scale processing of special categories of personal data.’ The DPOs will be required to fulfil a number of obligations. These include: (i) monitoring compliance, (ii) liaising with the ICO and (iii) training staff.
Transfers of personal data to third countries/international organisations
Perhaps disappointingly, the requirements for transfer of data outside the EU have not changed much in comparison to the current system. Such transfers of data can either be made where the Commission deems the country to have an adequate level of protection and in the absence of this, appropriate safeguards should be provided such as entry into standard data protection clauses adopted by the Commission or legitimised by binding corporate rules.
European data protection board
The new independent board will replace the article 29 working party. Its remit shall include issuing guidelines, recommendations and best practice on the application of GDPR.
Although GDPR has been agreed, there will now be a period of technical checking and formal approvals followed by translation for all 28 member states. This may take several months and last minute changes cannot be ruled out. The final version of the GDPR should be available later in 2016.