General Data Protection Regulation (GDPR) Guidance Notes
1
Introduction The GDPR will be effective in the UK from 25 May 2018 in the form of the Data Protection Act 2018. It replaces the existing EC Data Protection Directive and introduces new rights for individuals and new obligations and responsibilities for data Processors and extends existing obligations and responsibilities for data Controllers. The new regime also increases enforcement powers with fines of up to EUR 20 million or 4% of an organisation’s worldwide annual turnover, whichever the greater. The purpose of the GDPR is to protect the privacy of the individuals (data subjects) whose Personal Data you collect, hold and process. The Information Commissioner’s Office (ICO) has therefore made it clear that compliance with the GDPR should not just be a box-ticking exercise. Organisations can and should use this opportunity to develop and reinforce the relationship of trust with their clients and customers. We recommend that this is how you treat the process. The following steps will provide a good framework for working towards GDPR compliance. The GDPR applies to the controlling and processing of Personal Data and Sensitive Personal Data. Sensitive Personal Data requires greater care than other Personal Data and if you are processing this type of data, you must ensure that you satisfy one of the additional legal grounds for processing such data as well as one of the general conditions which will apply in every case. The relevant definitions are set out in Appendix I to this note and the grounds for processing are set out in Appendix II. Do not forget that the GDPR will also apply to non EU organisations where they process Personal Data about individuals who are in the EU as well as to organisations which are established in the EU. It will also apply in the United Kingdom irrespective of Brexit.
Involve key individuals and board/ management
Review data and data flow and prepare data record
Review exisitng processes and procedures
Review security systems and breach reporting procedures
2
Provide staff training
Consider lawful basis for processiong
Review Privacy Notices
Data Protection/Privacy Impact Assessment
Review contracts with third parties & insurance contracts
Validate and test on an ongoing basis
The Regulation The GDPR Principles
The GDPR introduces six principles which govern the processing of Personal Data. They are:
1. Lawfulness, Fairness and Transparency Lawfulness Data must be processed lawfully. The GDPR lists the six lawful grounds for processing Personal Data. The grounds for processing Personal and Sensitive Personal Data are set out in Appendix II to this note and some of the relevant grounds are dealt with in more detail below. Fairness To meet the requirement of fairness, the Controller or Processor must consider whether an individual would feel that the data processing is unfair. Transparency For the processing of data to be considered to be fair, there must be transparency i.e. the individual must be provided with accurate information about how their data is being processed. You must inform individuals about the way in which you intend to process their data and the lawful ground upon which you rely to process data.
2. Purpose Limitation
Organisations should only collect Personal Data for legitimate purposes and the processing of data should not be incompatible with those purposes, except in limited circumstances. The purpose for which Personal Data is processed must be explained to individuals. This is usually done by way of a privacy notice. You must inform individuals of the purpose for which their Personal Data will be processed.
3. Data Minimisation
Personal Data must be adequate, relevant and limited to what is necessary for the purpose of processing. Organisations will therefore need to consider whether they collect more data than necessary and may need to refine their processing since collection of excess data may be in breach of the GDPR.
4. Accuracy
Personal Data must be accurate and up-to-date and corrected or deleted without delay if it is not. Organisations therefore need to review their processes to ensure that they hold accurate Personal Data.
5. Storage Limitation
The GDPR prohibits the storage of Personal Data for longer than is necessary to fulfil the purposes for which it was collected. How long is necessary will depend upon the specific legal or business reasons for which the Personal Data was collected or is being retained. It will rarely be justifiable to retain the information for an unlimited period of time.
3
6. Integrity and Confidentiality
The GDPR imposes security obligations on organisations that process Personal Data. Organisations should therefore review their current processes to check that security measures protect Personal Data against unauthorised and unlawful processing, accidental loss, destruction or damage.
Accountability
At the heart of the GDPR is the principle of accountability. This principle requires Controllers to be able to demonstrate compliance with the six fundamental principles referred to above both to the public and to the regulator. This will include the following:
An appropriate data protection policy
A record of processing activities
A data protection officer in some circumstances
Training
Audits
Data protection impact assessment
Evidence of privacy by design and by default (see below)
Privacy by Design and by Default The GDPR also requires data protection by design and by default.
Privacy by design mean that Controllers are required to adopt internal policies and measures to ensure that the principles of the GDPR are integrated into processing activities i.e. that the principles are designed into their processes. Privacy by default requires Controllers to implement technical and organisational measures to ensure that only Personal Data necessary for the specific purpose for which it is collected is processed. This principle also extends to the quantity of data collected, the extent of processing, the period of storage and accessibility to that data. Organisations will need to adopt policies and measures so that these principles are implemented into the heart of the organisation.
4
Individual Rights
The GDPR sets out a number of rights individual have in relation to the processing of their Personal Data. Organisations should review their processes and procedures to ensure they satisfy the requirements of the GDPR in respect of those rights. The right to transparency and rectification are dealt with above. We summarise the other rights below.
In relation to automated decisions
Data Portability
Transparency
Object to processing
Rights of Individuals under the GDPR To be forgotten
Receive data
Restrict processing
Access to Personal Data
Individuals can request information which is held about them. If an individual makes such a request, a data Controller must provide the Personal Data promptly and in any event within one month of receipt of the request with a possible extension of two months where the request is complex and numerous. This right is subject only to certain obligations the Controller has to third parties such as inrespect of intellectual property rights. Do your systems allow for you to respond to such requests in a way which is compliant with the GDPR?
5
Erasure
Individuals have the right to request that their data is erased where it is no longer necessary for the purposes for which it was collected. However, this right does not exist where there is a lawful reason to continue to process such data. Do your systems allow you to delete Personal Data in a way which is compliant with the GDPR?
Restriction of processing
Individuals have the right to request that the processing of their Personal Data is restricted if it is: • Inaccurate; • Unlawful; • the Controller no longer requires the data for establishing, exercising or defending legal claims; or • the data subject has exercised the right to object to processings (see below).
Objection to processing
Individuals can also object to certain types of processing in specific circumstances where: • processing is based on legitimate interests, the performance of a task carried out in the public interest or exercise of official authority; • in relation to direct marketing; and • where data is used for scientific/historical research or statistical purposes. If an individual objects to processing for direct marketing, the Controller must cease to process immediately upon receiving the request. There are no grounds for the Controller to refuse to comply in these circumstances.
Data portability
Individuals can request information from the data Controller and reuse it for other service providers. In some circumstances, individuals can also instruct a Controller to send Personal Data to another Controller. You will need to have systems in place to be able to provide the data in a structured, commonly used and machine readable form in the event of such a request. This must be done free of charge. Do your systems allow you to transfer Personal Data in a way which is compliant with the GDPR?
6
Breach Notification and Sanctions
The GDPR introduces a new mandatory breach notification requirement. If a Controller becomes aware of a breach, they must report it promptly to the supervisory authority. If there is a high risk to individuals of physical, material and non-material damage, the organisation must also report the breach to the individuals affected by the breach. Where a Processor becomes aware of a breach, it must inform the Controller without delay. Any contract between the Controllers and Processors should require the Processor to assist the Controller in ensuring compliance with the GDPR. Organisations should have systems in place to be able to establish whether a breach has occurred such as breach detection software. Organisations will also need to have a data breach policy in place and provide training on what to do in the event of a breach. It is essential that you and your staff understand what to do in the event of a breach and that you have systems in place to enable you to report breaches in accordance with GDPR requirements. Some organisations may choose to appoint a Data Protection Officer (DPO) to do this even if they are not formally required to by the GDPR. In relation to Personal Data breaches which are likely to result in a risk to affected individuals, prompt notification to the authorities means within 72 hours and without undue delay in certain high risk circumstances. Do you have adequate systems and procedures in place to identify and report a breach?
Remedies and Sanctions
The objective of the GDPR is to protect the privacy of individuals. It therefore gives individuals the right to make complaints to the supervisory authority about organisations which are in breach. It also establishes the right to compensation for damage suffered by individuals as a direct result of processing if it infringes the individual’s rights. Penalties for breach are potentially harsh under the GDPR. The most serious infringements are open to fines of up to EUR 20 Million or up to 4% of annual worldwide turnover, whichever the greater. It has been made clear, however, that the penalties imposed will be proportionate to the breach.
7
Practical considerations Legal Grounds for Processing
Organisations will need to identify a lawful basis for processing Personal Data. You will have to document and explain that lawful basis to individuals. It should be possible to review the types of data processing you carry out and identify your lawful basis for doing so. Organisations will need to be extra careful when processing Sensitive Personal Data rather than Personal Data. Most of the lawful grounds for processing Personal Data are self-explanatory. However, we have set out below some more detail about legal grounds which may be relevant to you and which potentially require further explanation.
Consent
Consent is one of the lawful grounds an organisation can rely upon for processing data. The ICO has provided draft guidance on the lawful basis of ‘consent’ which can be found here https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consentguidance-for-consultation-201703.pdf. The final version of the guidance is due to be issued later this year and this should be treated as interim guidance at this stage. If you are relying on consent as your lawful ground for processing data, you will need to review how this is currently obtained, recorded and managed to see whether any changes need to be made in order to comply with the GDPR. If your current processes do not meet the GDPR standard then they will need to be updated. The following checklist may assist:
Has consent been freely given?
Is consent specific, informed and unambiguous?
There must be a positive “opt-in” option. Consent cannot be inferred from silence or pre-ticked boxes.
Consent must be separated from all other terms and conditions (it cannot be buried in your standards T&Cs).
Consent must be “unbundled” i.e. it must be obtained in relation to each different process.
Have you made it clear that consent can be withdrawn?
Have you kept a record of consent as evidence that it was obtained?
Is consent your best option for lawfully processing data? Do not overlook the other lawful grounds for processing as these may be more suitable than consent in the circumstances.
8
Legitimate interests
Another possible lawful ground for processing Personal Data is where the processing of that data is in the legitimate business interests of your business. The GDPR provides examples of when the legitimate interest ground might be appropriate. This includes:
47
Processing Personal Data for marketing purposes.
47
To prevent fraud.
48
Transfer within a group of undertakings for internal administrative reasons e.g. HR, software systems or client management databases.
49
To maintain cyber-security.
GDPR recital
GDPR recital
GDPR recital
GDPR recital
The reference to marketing in the GDPR here is rather confusing and needs to be considered in the round. What should not be forgotten is that the Privacy and Electronic Communications Regulation (PECR) already applies to marketing and imposes certain requirements with regards to consent required for direct marketing. If you have legitimately collected data for direct marketing under the PECR standards, it may be that you can process that data for marketing activities under the legitimate interest ground in the GDPR. The PECR can be found here: http://www.legislation.gov.uk/uksi/2003/2426/pdfs/ uksi_20032426_en.pdf and the ICO’s checklist here: https://ico.org.uk/media/fororganisations/documents/1551/direct-marketing-checklist.pdf. As to whether a legitimate interest exists, this will depend on the circumstances and will require a full analysis and careful consideration of whether the processing really is in the legitimate interests of the business and does not affect the fundamental rights and freedoms of the individual whose data you are processing. An evaluation of the individual’s expectations at the time the data was collected may assist; if processing would be outside of those expectations, legitimate interests is unlikely to apply. The ICO have said that they intend to issue guidance on the legitimate interest ground for processing. However, it has also made it clear that organisations know their business best and so they will need to decide which ground is best for them and document their decisions to demonstrate to the ICO which lawful basis justifies the data processing. Legitimate interest cannot be used in circumstances involving public authorities or children. Nor should it be used where an individual’s fundamental rights and freedoms may be affected.
9
Necessary for the performance of a contract
The GDPR also provides a lawful basis for processing where it is necessary to perform a contract to which the individual is a party or where processing is necessary in order to take steps at the request of the individual prior to entering into a contract.
Maintaining a record of data processing activity The GDPR requires you to maintain a register of your data processing activities. It must be: • In writing (including in electronic form); and • Made available to the supervisory authority on request. There is an exception to this requirement where the organisation employs fewer than 250 individuals, does not engage in high-risk activities and where processing is occasional and does not include Sensitive Personal Data.
Security measures
Organisations must maintain security measures which are appropriate to the risk involved in their processing activities, the cost of implementation, current technological developments and the likelihood and severity of risk to individuals. Appropriate security measures may include: • Encryption • Pseudonymisation (i.e. data is replaced by pseudonyms such that the individual cannot be identified) • • • •
Password protection Access on a ‘need to know’ basis Clear desk policy Data protection training and clear policies.
When assessing the appropriate level of security, you will need to do this on a risk-analysis basis i.e. what is the potential risk in processing such as the risk from accidental or unlawful destruction, loss or alteration, unauthorised disclosure of or access to the data as a result of transmission, storage or processing.
Data protection/privacy impact assessment
Impact assessments are required by the GDPR in certain circumstances such as prior to processing data where it is likely to result in a high risk to the rights and freedoms of an individual. Carrying out impact assessments is generally thought to be good practice, however, since they are a good way to demonstrate accountability. The aim of an impact assessment is to identify and evaluate the likely data protection risks arising from a new activity that involves processing Personal Data. The ICO website has a template Privacy Impact Assessment which can be found in annex to the Impact Assessment Code of Practice here https://ico.org.uk/media/for-organisations/ documents/1595/pia-code-of-practice.pdf.
10
Privacy Notices As part of the preparation for GDPR compliance, organisations should also review their current privacy notices. Under the current rules, when you collect Personal Data, you have to provide individuals with certain information in relation to how you intend to use the information. This is usually done through a privacy notice. Under the GDPR, there are additional requirements as to what needs to be explained in privacy notices. Notices need to be clear and concise and should include:
the full company name and contact details of any business processing Personal Data;
the lawful basis for processing data;
the period for which the Personal Data will be retained;
that individuals have the right to complain to the ICO if they think there is an issue with the way their data is being handled;
if relying on consent as a lawful ground for processing Personal Data, that the individual can withdraw consent; and
individual rights.
Appointing a Data Protection Officer
The GDPR states that a DPO must be appointed only for the following organisations: • Public authorities (except where acting in their judicial capacity); • Those whose core activities require regular and systematic monitoring on a large scale; and • Those whose core activities involve processing special categories of Personal Data such as criminal records and offences on a large scale. Core activities means that the activity is the primary activity of an organisation and not ancillary to its main activity. Large scale refers to processing a considerable amount of data which could affect a large number of individuals and which are likely to result in a high risk if there is a breach. Even those organisations that are not formally required to appoint a DPO, may opt to do so for reporting purposes and in order to facilitate the identification of a data breach.
11
Practical steps
1.
2.
Involve key individuals and obtain buy-in from Management/ Board
Consider whether Data Mapping a DPO is required
• Obtain buy-in from key individuals.
• Designate somebody to take this role and assess where they • Ensure understanding will sit within the of requirements organisation. throughout company through training • Even if a DPO not for staff. required consider whether to appoint • Are decision makers one to monitor and key individuals security and aware GDPR to breaches and to be implemented in report any breach to the UK and impact the supervisory of this? authorities • Create awareness within your organisation.
12
3.
4. Prepare and Maintain Data Record
• Maintain a record of your data processing activities. • Ensure record • Where did data updated regularly as came from and who and when you collect it is shared with? information. • Carry out audit/ questionnaire. • Review data you hold and how this is processed.
5.
6.
7.
8.
Impact Assessments
Identify lawful grounds
Privacy Notices
Review processes and procedures
•
Is a data impact assessment required e.g. where processing likely to result in high risks to individuals?
•
Identify lawful ground upon which data is processed and document this.
•
Consider carrying out assessment even if not mandatory to assist with requirement of data protection by design and by default.
•
If consent is lawful ground upon which you are relying to process data, review how this is obtained and refresh existing consents if they are not GDPR compliant.
• Review and update Privacy Notices to ensure that they comply with the requirements of the GDPR and include the required information, including the legal basis upon which data is processed.
• Check processes and systems to ensure you can detect, report and investigate data breaches and comply with breach notification requirements and data subject requests.
•
Inform individuals they can withdraw consent and request data is deleted.
•
Keep a record of the lawful grounds for each category of data (this can be worked into your Personal Data Record).
• Ensure procedures and systems cover all individual’s rights such as how to delete Personal Data or provide data electronically. • Ensure policies updated so that all staff understand procedures and requirements.
13
Practical steps We set out below a number of practical steps which will help you work to compliance with the GDPR.
14
9.
10.
11.
12.
Staff Training
Review contracts with third parties
Consider Insurance Policies
Review current securities
• Train staff on the requirements of the GDPR and on all internal processes, procedures and systems.
• Review contracts to • Consider insurance check they reflect the policies to check current position. whether they cover for data protection • Processors to assist and security Controller in breaches and the compliance with extent of cover. security and breach notification requirements and to notify Controllers of a breach without delay.
• Consider security systems for protecting Personal Data. Are they adequate to comply with the GDPR and the principle of privacy by design as well as the other requirements?
Get in touch
Contact us We can assist with all of these stages, if required. If you have any further queries, please contact either
Sara Ager sara.ager@ec3consultants.com T: 020 3553 4898 Helena Coates helena.coates@ec3consultants.com T: 020 3553 4897 Rachael Bishop Rachael.Bishop@ec3consultants.com T: 020 3553 4871 Peter Schwartz peter.schwartz@ec3legal.com T: 0203 553 4870 John Small John.small@ec3consultants.co.uk T: 020 3553 4874
Find out more about how we can help your business, we would love to have a chat. Please get in touch: +44 (0) 203 553 4898 info@ec3consultants.co.uk www.ec3consultants.co.uk @ec3consultants
15
Appendix I Relevant definitions
• religious beliefs or other beliefs of a similar nature;
“Controller” Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
• whether he or she is a member of a trade union;
“Processor” Means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. “Processing” Means any operation or set of operations which is performed on Personal Data or on sets or Personal Data whether or not by automated means including:
• physical or mental health condition; • sexual life • the commission or alleged commission of any offence; or • proceedings for any offence committed or alleged to have been committed.
Appendix II Lawful grounds for processing data
• collection or recording; • organisation, structuring, storing, adaption or alteration; • retrieval, consultation or use; • disclosure, dissemination or otherwise making available; or • alignment, combination, blocking, erasure or destruction. “Personal Data” means any information which relates to a living individual who can be identified directly or indirectly by reference to: • an indentifier such as a name, ID number, location; or • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. “Sensitive Personal Data” means Personal Data consisting of information as to: • racial or ethnic origin of the data subject; • political opinions;
16
Personal Data Consent – data subject whom Personal Data is about has consented to processing. Contractual – processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract. Legal obligation – processing is necessary for compliance with a legal obligation. Vital interests – processing is necessary to protect the vital interests of the data subject or another person. Public tasks – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the business. Legitimate interests – processing is necessary for legitimate interests pursued by a business or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Sensitive Personal Data
Explicit consent – data subject whom Sensitive Personal Data is about has given explicit consent to the processing.
Employment, social security or social protection laws – processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement providing for appropriate safeguards for the fundamental rights and the interests of the data subject. Vital interests – processing is necessary to protect vital interests of the data subject or another person where data subject is physically or legally incapable of giving consent. NFP – processing is carried out by a notfor-profit with a political, philosophical, religious or trade union aim provided processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent. Public – processing relates to Personal Data manifestly made public by the data subject.
subject to an obligation of secrecy under EU or Member State law. Public health – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. Archiving, research or statistical purposes – processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Legal matters – processing is necessary for establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. Public tasks – processing is necessary for reasons of substantial public interest, on the basis of EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. Medical purposes – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law or pursuant to a contract with a health professional (provided that professional is subject to the obligation of professional secrecy under EU or Member State law) or by another person also 17
Get in touch: If you would like to find out more about how we can help your business, we would love to have a chat. Please get in touch: +44 (0) 203 553 4898 info@ec3consultants.co.uk www.ec3consultants.co.uk @ec3consultants
18