GDPR – Data Protection Changes in 2018

GDPR – Data Protection Changes in 2018

Tags : 

padlocked_cloudEssentially the General Data Protection Regulation (GDPR) is an updating of the current EU Data Protection Directive which was enacted within the UK as the Data Protection Act 1998 (DPA).

The changes which are to be ushered in by the GDPR in 2018 are substantial and ambitious. At over 200 pages long the Regulation is one of the most wide ranging pieces of legislation passed by the EU in recent years, and concepts to be introduced such as the ‘right to be forgotten’, data portability, data breach notification and accountability will take some getting used to.

The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

What is going to change?

The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.

If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.

However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

Like the DPA the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – an IP address for example – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

For most organisations, keeping HR records, customer lists, or contact details etc., the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.

Personal data that has been anonymised can fall within the scope of the GDPR depending on how difficult it is to attribute the data to a particular individual.

The GDPR refers to sensitive personal data as “special categories of personal data”. These categories are broadly the same as those in the DPA, but there are some minor changes. For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.

12 steps you should take now

1. Awareness

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. It would be useful to start by looking at your organisation’s risk register, if you have one.

2. Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit, across the organisation, or within particular business areas. The GDPR updates rights for a networked world. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records. Doing this will also help you to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.

3. Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.

4. Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. The main rights for individuals under the GDPR will be:

  • subject access,
  • to have inaccuracies corrected,
  • to have information erased,
  • to prevent direct marketing,
  • to prevent automated decision-making and profiling, and
  • data portability is an enhanced form of subject access where you have to provide the data electronically.

5. Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information. The rules for dealing with subject access requests will change under the GDPR. In most cases you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 40 days.

6. Legal basis for processing personal data

You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. Many organisations will not have thought about their legal basis for processing personal data. Under the current law this does not have many practical implications. However, this will be different under the GDPR because some individuals’ rights will be modified depending on your legal basis for processing their personal data. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing. You will also have to explain your legal basis for processing personal data in your privacy notice.

7. Consent

You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. Like the DPA, the GDPR has references to both ‘consent’ and ‘explicit consent’. The difference between the two is not clear given that both forms of consent have to be freely given, specific, informed and unambiguous. Consent also has to be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, preticked boxes or inactivity. The GDPR is clear that controllers must be able to demonstrate that consent was given. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail.

8. Children

You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. In short, if your organisation collects information about children – in the UK this will probably be defined as anyone under 13 – then you will need a parent or guardian’s consent in order to process their personal data lawfully.

9. Data breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. The GDPR will bring in a breach notification duty across the board. This will be new to many organisations. Not all breaches will have to be notified to the ICO – only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach. You should start now to make sure you have the right procedures in place to detect, report and investigate a personal data breach. A failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

10. Data Protection by Design and Data Protection Impact Assessments

You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIAs) and work out how to implement them in your organisation. It has always been good practice to adopt a privacy by design approach and to carry out a privacy impact assessment as part of this. A privacy by design and data minimisation approach has always been an implicit requirement of the data protection principles. However, the GDPR will make this an express legal requirement.

11. Data Protection Officers

You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. The GDPR will require some organisations to designate a Data Protection Officer (DPO), for example public authorities or ones whose activities involve the regular and systematic monitoring of data subjects on a large scale. The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively.

12. International data transfers

If your organisation operates internationally, you should determine which data protection supervisory authority you come under. The GDPR contains quite complex arrangements for working out which data protection supervisory authority takes the lead when investigating a complaint with an international aspect, for example where a data processing operation affects people in a number of Member States. Put simply, the lead authority is determined according to where your organisation has its main administration or where decisions about data processing are made.

Abridged and amended from https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

Smarter Technologies Ltd, Unit 1 Broadfield Industrial Estate, Seymour Street, Heywood, OL10 3AJ | Company No.: 07172781 | VAT No.: 794 7491 68

%d bloggers like this: