On 25 May 2018, the General Data Protection Regulation (GDPR) came into force across all European Union member states, including the UK.
Note that further information about the practical application of the law can be found in the drafting notes to our free privacy notice template.
The GDPR sets out how businesses and organisations can collect, use and store personal data about individuals. It also addresses the export of personal data outside the EU.
The Regulation will harmonise the law across Europe, giving all EU citizens the same legal protection for their data no matter where it is held or processed.
It is hoped that this will reduce the burden on businesses to comply with different regulations for different countries, and give EU citizens and residents better control over what data organisations hold about them, and stronger rights to have that data maintained as correct, or erased.
There are exceptions for data that relates to employment and for data processed for the purposes of national security. These can be subject to individual country regulations.
Replacement for the Data Protection Act
GDPR is an EU Regulation. As such, Parliament is not required to pass any enabling legislation in order to make GDPR legally binding and applicable (as it would have to do so if it were a Directive). A Regulation automatically comes into effect across all EU member states at the same time.
However, in the UK, the provisions of the GDPR are also covered by a new Data Protection Bill, which supersedes the provisions in the Data Protection Act 1998 (DPA), which now seems rather outdated given how data is collected and used today compared to twenty years ago.
The Data Protection Bill includes everything within the GDPR, along with some minor additions. So the passing of the bill will enshrine the law in any case, and even after the UK leaves the European Union.
Who does the GDPR apply to?
The GDPR apply to both businesses and non-commercial organisations that store or process information relating to individuals (EU citizens and residents) who can be identified from that data.
Changes to the law that the GDPR bring in
In the GDPR, there are 99 articles that set out the rights of individuals and the obligations of organisations.
- the obligation on organisations to protect data by design and default
- the right of the individual to data portability
- increased territorial scope - applicability to organisations based outside the EU
- requirements to appoint suitable Data Protection Officers
- maintenance of records of processing activities
- the establishment of supervisory authorities in each EU member state
Data protection by design and by default
Data protection by “design and by default” is the requirement that data protection is designed purposefully into business processes, and that by default, it should be at a high level, even if the subject is later able to reduce the protection level.
In practice, this means that data should only be processed when necessary for a specific purpose, and that all processing procedures should comply with the regulations. Encryption and decryption must be carried out locally, not by remote service, because both keys and data must remain in the power of the data owner if any privacy is to be achieved.
Outsourced data storage on remote clouds is practical and relatively safe, as long as only the data owner, not the cloud service, holds the decryption keys.
The GDPR introduces the concept of rights to data portability.
That is the right of an individual to be given a copy of the personal data concerning himself or herself in a commonly used, open standard and machine readable format; and a right for that data to be transferred to another data controller.
Data transfer must be free, and must take place within one month of a valid request.
This means that an individual will be able to compel one business to transfer personal data to another, for use by the other. For example, an application would be banking data aggregation, where accounts with multiple banks could be managed from a single application.
The scope applies to both data that has been provided by the subject and data observed or generated as a result of their actions. It also includes data that has been anonymised by removing information that personally identifies the individual, but which could be added back in order to make it personally identifiable.
Increased territorial scope
One of the most significant changes that GDPR brings is the extended jurisdiction of the rules to organisations that are located outside the EU and which collect and/or process data about EU citizens and residents.
Under previous law, territorial applicability of the data protection directive was ambiguous and referred to data processes in context of an establishment. The GPDR are much clearer.
The GDPR apply to organisations located in the EU that process or control personal data of EU citizens and residents regardless whether the processing takes place in the EU or not. This prevents offshore processing to circumvent the rules.
They also apply to the processing of personal data of subjects in the EU by a controller or processor not established in the EU where:
- goods or services are offered to EU citizens (whether or not payment is made) and
- data subject behaviour is monitored
Organisations that are not located in the EU are required to appoint an EU representative.
Data Protection Officers
Under previous legislation, controllers were required to appoint a Data Protection Officer and register with, or notify a national authority of their data processing activities. For UK processors, the authority was the Information Commissioner’s Office.
Under the GDPR, this requirement is replaced with one of internal record-keeping.
Appointing a Data Processing Officer is mandatory only for controllers and processors whose core activities are processing operations that require regular and systematic monitoring of data subjects on a large scale; or where the data falls under a special category, including criminal convictions.
Where a DPO is appointed, he or she:
- must be appointed based on professional qualities including in particular, expert knowledge on data protection law and practices
- must have appropriate resources to carry out his or her tasks and maintain his or her expert knowledge
- must report directly to the highest level of management in the organisation
- could be an employee or an third-party service provider
- must not carry out any other tasks that could result in a conflict of interest
Records of processing activities
Records of processing activities must be maintained, that include purposes of the processing, categories involved and envisaged time limits. These records must be made available to the supervisory authority on request.
Each EU member state will establish an independent Supervisory Authority (SA) to hear complaints; to investigate them; to sanction administrative offences.
In the UK, this is the Information Commissioner’s Office (the ICO).
Each SA will work, when necessary, with the SAs in other member states to provide EU-wide enforcement.
If a business has offices in multiple EU countries, then it will have a single SA as a lead authority in the country in which the head offices are based.
Controllers and processors
Organisations handling personal data are classified as data controllers, data processors, or both.
A data controller is a person or an organisation that decides how and for what reasons personal data is used.
A data processor is a person or an organisation that collects, records, adapts or holds personal data.
A processor must comply with rules about how it operates, and maintain records that show compliance.
A controller is responsible for ensuring that the processor complies with data protection law.
Lawful basis for processing
Under the GDPR, data can only be processed if there is at least one lawful basis to do so.
There are six lawful bases for processing data. Consent by the data subject is one. Necessity in order to fulfil a legal obligation or protect the vital interests of the data subject or the public interest are covered by others. Lastly, there is Legitimate Interest, which requires subjective judgement as to whether the benefits of processing outweigh the potential harm caused by doing so. Despite being subjective, Legitimate Interest is far more versatile than it seems.
Consent can only be given by an active, affirmative action, and by the data subject himself or herself.
Passive acceptance such as by pre-ticked boxes or opt-outs is not consent.
Records of how and when a subject gave consent must be kept.
A subject may withdraw consent at any time.
Parental consent will be required for the processing of personal data of children under the age of 16 years.
Individual member states can lower the age requiring parental consent to a minimum of 13 years.
What types of data are covered by the GDPR?
The definition of personal data has significantly expanded under the GDPR compared to the Data Protection Act.
As well as all data that qualified under the DPA, personal data includes IP addresses, economic status, cultural status and mental health information.
Sensitive personal data includes genetic information, information about religious background and beliefs, political opinions and sexual orientation.
Data that does not directly identify the subject (such as that which identifies the subject based on a pseudonym or a reference code) may also be subject to GDPR rules, depending on the extent to which the subject is anonymous.
Requests for access to information
Data subjects have the right to access any information that an organisation holds about them, and the right to know why the data is used, how long it is kept, and who else can access it. The GDPR requires that controllers and processors use clear language for explanations and open-source data formats.
A data subject can ask to see the data held about himself or herself at no cost, and at reasonable intervals. For most requests, data controllers must respond within one month.
Subjects can also ask for data that is incorrect or incomplete to be corrected or completed at any time.
Data controllers are encouraged to provide secure, direct access for subjects to review the personal information held.
Right to be forgotten
An individual has the right to demand that personal data is deleted if it is no longer necessary to the purpose for which it was collected. That includes images and text that reflects a position or a view of the subject at an earlier time.
This is known as the right to be forgotten.
He or she can also demand that the data is deleted if the subject withdraws consent for the data to be collected, or otherwise objects to how it is processed.
The data controller is responsible for informing other organisations to delete any copies of the data, and any links to any copies.
The GDPR also gives a person a right not to be subject to a decision, if the decision is made automatically (for example, by software) and if the effect of the decision is significant for that person. There are exceptions. However, generally a person must be provided with an explanation of how a decision about them was made.
Notification of breaches
Breach notification is mandatory where the breach is likely to “result in a risk for the rights and freedoms of individuals”.
Notification must be made within 72 hours of the controller or processor first having become aware of the breach.
Data processors are also required to notify the data subjects and the controllers “without undue delay” after first becoming aware of a data breach.
Fines and sanctions
Supervisory authorities have increased rights to sanction and to fine organisations that fail to meet their obligations.
While the ICO says that it will fine only after warnings and repeated failures to comply, the size of the fines themselves has increased from those possible under the DPA. It also says that it will be more lenient on businesses that have tried to implement GDPR, but may have not done so thoroughly, compared to those that haven't.
The ICO has the power to impose the following:
- a written warning for a first and non-intentional non-compliance
- regular and periodic data protection audits
- fines of up to €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year in case of a business
Exemptions from GDPR
Some types of organisation and people will be exempt from the GDPR, predominantly where the reason for collecting and processing data is deemed to be in the national interest.
Exempt persons and organisations include those in journalism, science research, historical research, and anti-doping in sports.
How to prepare your business for GDPR
If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR. However, it is not always clear exactly what more a business might have to do to comply with the new Regulations.
The ICO says that businesses and organisations that already comply with existing data protection laws will find the new GDPR only a "step change".
It has published a 12-step guide to compliance.
This includes recommendations such as:
- making senior business managers aware of the changes
- hiring a data protection officer if necessary
- conducting an inventory as to what information is held, where, for how long, and documenting how data is processed and kept secure
- updating business procedures and policies concerning data privacy and protection and information access requests
- circulating business procedures and policies amongst employees and other relevant stakeholders
- planning what would happen in the event of a data breach, how a breach might be noticed and an incident recovery plan to deal with the consequences
The GDPR bring increased obligations on businesses and other organisations regarding how data is collected, stored, processed, reported and managed.
It is not clear exactly how to achieve compliance, although a business that can demonstrate an intention to comply is likely to be treated more leniently if the supervisory authority decides that effort was made to comply.
Certainly a business should consider what personal information it holds, how it is used, and what risks there are that it might be misused or stolen.