The European General Data Protection Regulation (GDPR) will come into force on 25 May 2018. It aims to standardise and strengthen the right of European citizens to data privacy by emphasising transparency, security and accountability by data controllers.
While many of the themes, high level requirements and language of the GDPR are not vastly different from existing data protection legislation, the GDPR imposes new obligations and stricter requirements on in-scope organisations. The GDPR also includes provisions to impose administrative fines of up to €20 million or up to 4 percent of global turnover (whichever is higher) for certain infringements. If an organisation processes the personal data of people in the EU, or is a data controller or processor established in the EU, the GDPR will apply.
The GDPR expands the classification of ‘personal data’ to data from which a living individual can be identified. The obvious examples of this are a name or an identification number. The GDPR also covers less obvious examples of personal data through which one could reasonably identify an individual, such as an IP address, location data, mobile device identifier or factors specific to the physical, cultural or social identity of that person.
Article 9 describes the circumstances under which the processing of ‘special categories of data’, (also known as ‘sensitive personal data’) may take place. The categories of data which are considered ‘sensitive’ have been expanded from previous legislation – they now include genetic and biometric data as well as information such as health, ethnic origin, sexual orientation and political or religious beliefs.
A data controller is a person or entity that determines the means and purposes of the processing that will occur on personal data it holds. A data processor performs the processing on behalf of the data controller – for example, an organisation (the data controller) may utilise the services of a marketing company or a payroll firm to perform work on the data controller’s behalf. Data processors may be subject to fines or other sanctions if they don’t comply with the GDPR requirements.
Data controllers are liable for their own compliance with the GDPR. If a data controller utilises a data processor, a binding written contract (or other legal provision) must be in place that governs that processing. Similarly, if a data processor employs another sub-processor they too are required to have a written contract. Any contracts that are active when the GDPR comes into effect must meet the new GDPR requirements.
The GDPR also sets out minimum requirements for what must be included in a contract. These requirements include clauses stipulating the type of personal data that is to be processed as well as the nature and purpose of that processing. The contracts must also govern the management of the Personal data by the data processor, including their taking appropriate measures to secure the data and assisting the data controller in meeting the rights of data subjects as laid out by the GDPR. If a data processor fails to meet its obligations, or acts outside of the instructions of the data controller, then it may be liable for damages in legal proceedings and/or subject to fines under the GDPR.
The UK Information Commissioner’s Office published draft guidance on contractual requirements in September 2017. This guidance refers to standard contractual clauses being made available – however, at the time of writing, no such clauses have been published.
Further requirements are introduced if personal data is being transferred outside of the European Economic Area to a ‘third country’. Irish organisations that transfer personal data from Ireland to third countries will need to ensure that the country in question provides an adequate level of data protection. Some third countries have been approved for this purpose by the EU Commission. If the third country has not been approved, data controllers must rely upon one of nine alternative measures, most likely an arrangement which has been approved in advance by the Data Protection Commissioner. Model contracts have been prepared for this purpose by the EU Commission and are available to download from their website.
Article 6 sets out the six types of ‘lawful basis’ that apply for the processing of personal data, including the fulfilment of contractual or legal obligations.
If an organisation relies on consent from an individual for the processing of their data, then higher standards for that consent will apply. The language used in requesting consent must be specific, clear and unambiguous. Recital 32 states that consent must be given by “a clear affirmative act” for each processing purpose and that a pre-ticked box on a website, for example, does not constitute consent. Furthermore, individuals have the right to withdraw this consent at any time, and appropriate mechanisms must be provided to allow them to do so. Additional restrictions apply to children consenting to the use of their Personal data.
The use of ‘legitimate interest’ may be a lawful basis for processing personal data. The GDPR Recitals cite examples of processing that could be in the legitimate interest of the data controller. Recital 47 states that “Such legitimate interest could exist … where there is a relevant and appropriate relationship between the data subject and the controller … such as where the data subject is a client or in the service of the controller”. Recitals 47 to 50 further cite direct marketing, transmitting personal data between a group of undertakings for administrative reasons, ensuring network security and reporting potential criminal acts as potential processing activities that could use this lawful basis. However, careful consideration is required before relying on legitimate interests as a grounds for processing. Recital 47 cautions that data controllers should consider the expectations of data subjects in assessing a legitimate interest, including if the data subject can “reasonably expect” their data to be processed for that purpose.
Articles 12 – 23 of the GDPR cover the enhanced rights of individuals under the GDPR. Among these rights, the GDPR obliges organisations to provide ‘fair processing information’, typically through a privacy notice at the point of data capture. Other rights include the right to obtain access to their Personal data, to have their data rectified if it is inaccurate or incomplete, to object to their data being processed and to have their data securely moved or copied from one IT environment to another. While individual rights granted by the GDPR are similar to those under existing data protection legislation, existing organisational processes should be revisited to ensure compliance with enhancements e.g. being able to provide Personal data in a structured, commonly used and machine-readable format. Should an organisation suffer a data breach, new obligations apply around how and when that breach should be reported.
Article 5 of the GDPR places the onus on organisations to demonstrate their compliance with the GDPR under the principle of ‘accountability’. This may require organisational changes to their approach to data protection compliance. Organisations will be required to evidence that the Personal data that they acquire is done so in a lawful, transparent manner. Furthermore, they must ensure that they can demonstrate that only the minimal amount of data required is captured, that the data is securely managed and that it is retained for no longer than is demonstrably necessary for the purposes of processing. Article 25 of the GDPR covers the concept of ‘data protection by design’, requiring that “appropriate technical and organisational measures” are implemented from the outset of data processing activities.
Article 35 includes a requirement that organisations conduct Data Protection Impact Assessments (DPIAs) where the processing is “likely to result in a high risk to the rights and freedoms of natural persons”. The Article 29 Working Party (an official advisory body consisting of representatives from the data protection authorities of each EU Member state) has provided guidance on how and when DPIAs should be conducted. While the requirement for DPIAs applies to processing operations initiated after the GPDR becomes applicable on 25 May 2018, the Article 29 Working Party "strongly recommends" that DPIAs should be carried out for processing that is already underway.
The above highlights some of the areas where the GDPR imposes higher standards for data protection. It is an organisation’s responsibility to demonstrate how they are compliant with the GDPR principles.
A key initial step is to understand what personal data your organisation processes. This should be documented, showing how personal data is captured, where it is stored and under what lawful basis (as defined by the GDPR) the data is processed. This document should also capture any personal data that is transferred to third-party processors.
Among the subsequent steps to take, an organisation should validate that they have;
In parallel to the above activities, it is crucial that your organisational culture supports your GDPR obligations. Training and awareness activities should be conducted so that everybody in your organisation is aware of your organisational policies and requirements for compliance. Furthermore, support is required from the highest levels of your organisation to ensure that compliance forms a key part of your management activities.
The Data Protection Commissioner has a dedicated GDPR website, www.gdprandyou.ie. It includes resources and guidance on many aspects of the GDPR, and provides links to further official guidance.
The UK Information Commissioner’s Office, ico.org.uk, provides a GDPR readiness assessment checklist which can help you to identify the areas of GDPR compliance in which you are lacking.
This article was originally published in Eolas magazine and has been reproduced here with their kind permission.