EU General Data Protection Regulation by Laytons ETL

LAYTONS

EU General Data Protection Regulation Preparing for the changes

LAYTONS Our Sectors • • • •

Technology, Communications & Digital Media Construction, Land & Planning Personal Affairs, Private Wealth & Philanthropy Retail & Hospitality

Our Expertise • • • • • • • • • • • •

Banking & Finance Charities Commercial & Corporate Data Protection & Information Disputes Employment & Immigration Family & Matrimonial Insolvency & Restructuring IP & Technology Real Estate Tax Trusts, Estates & Private Client

This information is offered on the basis that it is a general guide only and not a substitute for legal advice. We cannot accept any responsibility for any liabilities of any kind incurred in reliance on this information.

EU General Data Protection Regulation Preparing for the changes The General Data Protection Regulation (GDPR) will apply from 25 May 2018, bringing with it a number of changes to existing data protection law and new requirements for organisations. This briefing looks at the key changes, highlighting actions to take and ways in which we can help.

Geraint Thomas Partner | Disputes geraint.thomas@laytons.com +44 (0)20 7842 8000

Michael Edgar Solicitor | Commercial michael.edgar@laytons.com +44 (0)20 7842 8000

EU GDPR | February 2017

Key changes & implications

Brexit

in order for information about the individual to constitute personal data; the GDPR makes it clear that other information

The GDPR will almost certainly apply to the UK

such as an identification number, location data, an online

notwithstanding Brexit since (1) the UK will still be in the

identifier or other factors specific to an individual can be

EU when the GDPR comes into force, and (2) even after

sufficient for that data to be caught.

the UK’s exit from the EU, the Government is expected to implement the GDPR’s provisions through national legislation. Accordingly, the Information Commissioner has advised UK

Genetic data and biometric data

organisations to continue preparing for the GDPR coming into effect.

The GDPR introduces specific definitions of “genetic data” (for example, an individual’s gene sequence) and “biometric

Higher bar for unlawful processing

data” (for example, fingerprints and facial recognition data). Genetic data and biometric data will both be treated as sensitive personal data, affording them enhanced protections

Generally a key requirement to process personal data lawfully

under the new rules.

is to obtain the requisite consent to do so, and the bar for valid consents will be raised under the GDPR. This is important now since if you do not obtain consent in a GDPR-compliant way there is a risk that customer and employee consents may

Pseudonymisation

expire following the GDPR coming into effect. The GDPR specifically addresses the concept of Action: privacy policy and statements should be reviewed

“pseudonymisation”, where data is subjected to technological

and may need amendment.

and organisational measures so that it no longer directly identifies an individual without the use of additional

Broad definition of personal data

information (provided that such additional information is kept separately and securely). Pseudonymous data will still be considered a type of personal data; however, businesses

The GDPR defines personal data as “any information relating

which implement pseudonymisation techniques on their

to an identified or identifiable natural person”. To determine

personal data can enjoy various benefits under the GDPR.

whether a natural person is “identifiable”, account should

This recognises that the application of pseudonymisation

be taken of “all the means reasonably likely to be used” to

to personal data can reduce the risks to the data subjects

identify the person. Therefore an individual’s name, while

concerned and help controllers and processors to meet their

obviously a major indicator of identity, is not a necessity

data protection obligations.

EU GDPR | February 2017

Data processors will have data protection obligations as well as data controllers

Privacy by design and by default The newly codified privacy by design obligation requires data controllers to assess data protection risks throughout the designing of a new process, product or service, rather

Where you are or will be processing personal data as a

than retrospectively. The new privacy by default obligation

processor (rather than controller), this will open up its

requires that businesses implement appropriate technical

potential exposure to fines and reputational damage.

and organisational methods to ensure that, by default, only personal data which are necessary for each specific purpose

Action: contracts should be negotiated with this in mind, and

are processed.

certain current contracts may need to be reviewed and riskassessed.

Action: consider this carefully in relation to current and new measures that you use to safeguard personal data.

Minimum contract requirements

Data breach notification

From 25 May 2018, the minimum obligations that must be included in a contract under which personal data is handled

All data controllers will need to self-report serious breaches to

will significantly change. Concluding contracts without

the ICO within 72 hours of becoming aware of them from 25

consideration of this risks having to request renegotiation in

May 2018.

the middle of their term around May 2018, or being in breach of the GDPR.

Action: training and infrastructure preparation is

Action: again, contracts should be negotiated with this in

recommended in good time ahead of May 2018.

mind going forward, and certain current contracts may need to be reviewed and risk-assessed.

Right to data portability Action: technical preparations may be needed to enshrine this right. Such preparations may also help with responses to subject access requests, where the timeframe for responding will change to “without undue delay” and “at the latest within one month” from the time the SAR is received (currently, the timeframe is “promptly” and at the latest within 40 days).

EU GDPR | February 2017

Privacy Impact Assessments

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues

There is a greater emphasis on privacy impact assessments.

which relate to the protection of personal data." The role of

Requirements on how these should be conducted

DPO is therefore a significant responsibility for controllers and

(periodically) has now been codified, and PIAs, carried out

processors.

under the supervision of the DPO, will be a legal requirement in certain circumstances under the GDPR.

Action: businesses will need to assess whether or not they fall within one or more of the categories in which appointing a

Action: the way in which your PIAs are conducted should be

DPO is mandatory. Examples of those businesses likely to be

reviewed against the GDPRâ&#x20AC;&#x2122;s requirements.

covered by the new requirement include public authorities, B2C businesses which regularly monitor online activity of their

Tougher sanctions

customers and website visitors, and healthcare companies who process large amounts of medical information. You may wish to appoint a DPO even where you are not required to

Compliance is increasingly important as the maximum ICO

by the GDPR, in order to help ensure you discharge your

fine for breaches is increasing from ÂŁ500,000 to the higher

obligations under the data protection rules and demonstrate

of â&#x201A;Ź20million or 4% of annual worldwide turnover of the

compliance.

corporate group. The ICO will also enjoy wide investigative powers, and the GDPR makes it easier for individuals to bring private claims against data controllers and processors relating to data protection breaches.

Data protection officer (DPO) The GDPR introduces the requirement for certain types of businesses to appoint a DPO. The following organisations must appoint a DPO: (1) public authorities; (2) controllers or processors whose core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale; (3) controllers or processors whose core activities consist of processing sensitive personal data on a large scale. 6

EU GDPR | February 2017

Transferring personal data outside the European Economic Area

How we can help

While the GDPR will not implement a significant shift to the

We have a specialist data protection team on hand to support

rules on transferring personal data outside the EEA, the

you on all aspects of data protection compliance.

tougher sanctions being introduced for breaches of the rules mean that compliance is increasingly important. It is important to understand precisely what the term

Our assistance includes: •

GDPR implementation plan:

“transfer” means. The migration of a customer database from

we can help you prepare a timetable of implementing

a UK-based business to a business based outside the EEA

changes to prepare for the GDPR coming into force.

would clearly fall within the definition. But a number of other common business activities will also constitute a “transfer”, for

•

Privacy impact assessment:

example storing your business data using a hosting provider

we can prepare and generally support a PIA that is

whose server is based outside the EEA, or sharing data

consistent with the GDPR’s requirements.

between different companies in the same corporate group where transferors are based in the EEA and transferees are

•

International data transfers we advise on a variety of cross-border data issues, for

based outside it.

example those relating to your supply chain, suppliers, cloud storage and intra-group transfers.

Generally, transfers of personal data outside the EEA will breach the data protection rules unless the Commission has made a “positive finding of adequacy” in respect of the

•

Training

country in which the transferee is located, or the transferor

we can tailor data protection training to your

has put in place adequate safeguards to protect the rights

requirements, whether it is for your data protection

of the data subjects whose data is transferred. The latter

officer, in-house legal team, key teams or company-

is commonly achieved by incorporating the Commission’s

wide.

Standard Contractual Clauses into the contract governing the data transfer.

•

On-going support: we are here to support you with data protection

If you have US companies in your corporate group, you

questions and issues as and when they arise.

have the option of certifying the US entities with the US Department of Commerce under the Privacy Shield Framework to help ensure that they can receive personal data transfers from the EEA lawfully.

EU GDPR | February 2017

LAYTONS Sectors

Expertise Technology, Communications & Digital Media

Commercial & Corporate

Data Protection & Information

LAYTONS London

Manchester

Guildford

2 More London Riverside London SE1 2AP +44 (0)20 7842 8000 london@laytons.com

22 St. John Street Manchester M3 4EB +44 (0)161 214 1600 manchester@laytons.com

Ranger House, Walnut Tree Close Guildford GU1 4UL +44 (0)1483 407 000 guildford@laytons.com

laytons.com

ÂŠ Laytons Solicitors LLP which is authorised and regulated by the Solicitors Regulation Authority (SRA NÂş 566807). A list of members is available for inspection at the above offices.