Home
Publications
Our series of guides to the EU General Data Protection Regulation: round-up of the latest guidance on GDPR

Our series of guides to the EU General Data Protection Regulation: round-up of the latest guidance on GDPR

A keyboard key with a padlock graphic on it

Print newsletter

As the GDPR implementation date of 25 May 2018 draws ever closer, many organisations will be in the advanced stages of GDPR-readiness. However GDPR-ready you are, and whichever sector you operate in, our specialists are here to help with all aspects of GDPR compliance. Please do not hesitate to contact Jeanette Burgess or Andrew Northage if you require any assistance.

Are you GDPR-ready?

In a speech given at the beginning of February 2018, the UK’s Information Commissioner had […]

In a speech given at the beginning of February 2018, the UK’s Information Commissioner had this to say:

“While there will be no grace period – you’ve had two years to prepare – I know that when 25 May dawns, there will be many organisations that are less than 100 per cent compliant. This is a long haul and preparations will be ongoing. But if you self-report a breach, engage with us to resolve issues, can demonstrate effective accountability arrangements, you will find us to be fair. Enforcement will be proportionate and, as it is now, a last resort”.

In this newsletter, we take stock of the position with the latest UK and European-level guidance on GDPR. We then focus on recent guidance covering: the ‘security principle’ and personal data breaches; lawful bases for processing personal data, in particular the ‘legitimate interests’ basis; and requirements regarding documentation.

The Information Commissioner has emphasised previously how the new law is about “greater transparency, enhanced rights for citizens and increased accountability”. It has been described as “an evolution in data protection, not a total revolution” and the message for businesses is that “if you are already complying with the terms of the Data Protection Act, and have an effective data governance programme in place, then you are already well on the way to being ready for GDPR”.

Essentially, GDPR is about good business practice: being accountable, transparent and fair; managing data responsibly; giving individuals greater choice and control over how their personal data is used; building a culture of privacy; and integrating data protection into the heart of the business. Looking beyond issues of pure compliance, GDPR provides organisations with an opportunity to innovate, to review and improve data management, and to maximise the potential of their data assets.

We set out a checklist of the practical steps for organisations to take in one of our earlier briefings. However GDPR-ready you are, and whichever sector you operate in, our specialists are here to help with all aspects of GDPR compliance. Please do not hesitate to contact Jeanette Burgess or Andrew Northage if you require any assistance.

Update on the latest GDPR guidance – where are we now?

The Information Commissioner’s Office (ICO) The ICO, the UK’s data protection regulator, continues to update […]

The Information Commissioner’s Office (ICO)

The ICO, the UK’s data protection regulator, continues to update and expand its comprehensive Guide to the GDPR. Each section contains a helpful checklist of points for organisations to work through to ensure compliance. The ICO has also published a range of other resources, including a self-assessment toolkit, a series of ‘myth-busting’ blogs, and information for different sectors such as: education; health; local government; marketing; and finance, insurance and credit.

The ICO has published standalone guidance on a number of aspects of GDPR. In other cases, it has simply updated or expanded the relevant section of the Guide. To date, the ICO has produced the following standalone guidance, which is referred to in the Guide:

Detailed guidance on legitimate interests, one of the six available lawful bases for processing personal data under GDPR.
Detailed guidance on documentation, a key feature of the principle of accountability under GDPR.
Guide to the data protection fee. We considered this in a separate briefing. Parliament has now approved the new funding model.
Draft guidance on Data Protection Impact Assessments (DPIAs) for consultation (the short consultation closed on 13 April 2018). DPIAs are a legal requirement under GDPR for processing that is likely to be high risk, but the ICO notes that an effective DPIA can also bring broader compliance, financial and reputational benefits.
Draft guidance on children and the GDPR for consultation (the consultation closed on 28 February 2018). Children’s data is given particular protection under GDPR.
Draft guidance on contracts and liabilities for controllers and processors for consultation (this was issued in September 2017 – a final version is awaited). Under GDPR, whenever a controller uses a processor (or a processor employs another processor), there needs to be a formal written contract in place between them. GDPR specifies what terms must be included in the contract, as a minimum requirement. While data controllers bear ultimate responsibility for ensuring that the processing of personal data is GDPR-compliant, data processors need to be aware that GDPR also imposes direct obligations on them. Organisations should review all existing contracts which involve any processing or sharing of personal data to ensure that they meet GDPR requirements.
Draft consent guidance for consultation (this was issued in March 2017- final guidance is expected shortly now that we have European-level guidance on this subject). GDPR sets a high standard for consent, which is one of the six available lawful bases for processing personal data under GDPR. The ICO notes that consent “is not inherently better or more important than these alternatives. If consent is difficult, you should consider using an alternative”.
A lawful basis interactive guidance tool, to help organisations assess which lawful basis is likely to be most appropriate for their processing activities.

Further guidance is awaited on the following topics:

More detailed guidance on the ‘public task’ lawful basis.
More detailed guidance on the right to be informed, one of the individual rights under GDPR and a key transparency requirement.
More detailed practical guidance on rights related to automated decision-making including profiling.
Updated guidance on ‘privacy by design’. GDPR introduces a new concept of privacy by design and default which is intended to ensure that data protection is embedded within organisations and that privacy issues are taken into account as a matter of course. The new rules require organisations to implement privacy both by design (so that data protection safeguards are built into all processing activities) and by default (to ensure that the minimum amount of data is processed). Using DPIAs will help organisations to implement privacy by design and by default.
Guidance on applying GDPR requirements in different contexts, including in areas such as CCTV and big data.

European-level guidance

The Article 29 Working Party or WP29 (an advisory body comprising representatives from the EU data protection authorities, the European Data Protection Supervisor and the European Commission) has produced the following European-level guidance on a range of aspects of GDPR:

Guidelines on the right to data portability, one of the individual rights under GDPR.
Guidelines for identifying a controller or processor’s lead supervisory authority, an important consideration in relation to personal data breach notifications and breach response planning.
Guidelines on data protection officers (DPOs). The appointment of a DPO will be mandatory for public authorities/bodies as well as for data controllers or processors whose core activities comprise either: processing which requires regular and systematic monitoring of data subjects on a large scale; or large-scale processing of special categories of data or personal data relating to criminal convictions and offences.

We considered each of the above topics in an earlier briefing.

Guidelines on DPIAs and determining whether processing is “likely to result in a high risk”.
Guidelines on imposing administrative fines. GDPR introduces increased enforcement powers – fines of up to 2% of annual global turnover or €10 million (whichever is the greater) or fines of up to 4% of annual global turnover or €20 million (whichever is the greater), depending on the type of infringement.
Guidelines on personal data breach notification.
Guidelines on automated individual decision-making and profiling.
Guidelines on transparency. The WP29 describes transparency as an “overarching obligation under the GDPR applying to three central areas: (1) the provision of information to data subjects related to fair processing; (2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (3) how data controllers facilitate the exercise by data subjects of their rights”.
Guidelines on consent.
Proposed guidelines for the application of Article 49 of GDPR, which concerns derogations from the prohibition on transfers of personal data outside of the EU (the consultation closed on 26 March 2018).
Proposed guidelines on the accreditation of certification bodies under GDPR (the consultation closed on 30 March 2018). Certification mechanisms are one of the voluntary measures to facilitate compliance with GDPR.
Updates to the WP29’s working documents on adequacy and on binding corporate rules (BCRs) for controllers and for processors, plus other recent documents in relation to BCRs. BCRs are one of the legal mechanisms for transferring personal data outside of the European Economic Area between companies forming part of a multinational group.

All of these documents can be found on the WP29 website under the ‘Guidelines’ and ‘Letters, other documents’ tabs.

A new, independent, European Data Protection Board will replace the WP29 when GDPR comes into force.

The ‘security principle’ under GDPR and personal data breaches

The ‘security principle’ In a world where increasingly sophisticated cyberattacks are an ever-present threat and […]

The ‘security principle’

In a world where increasingly sophisticated cyberattacks are an ever-present threat and rarely out of the news, people want to be able to trust that their data will be protected. They also want to be able to trust that it will be handled and used appropriately. On the other hand, businesses want to avoid the potential reputational damage and hefty fines arising from avoidable or poorly managed personal data breach incidents.

It is a GDPR requirement that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” – this is the ‘security principle’.

More specifically, GDPR provides that, “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

The ICO recently expanded the security section of its Guide to the GDPR. The following key points arise from the guidance:

Organisations must have appropriate security in place to prevent the personal data they hold from being accidentally or deliberately compromised – this includes physical and organisational measures, not just ‘traditional’ cybersecurity.
Organisations should aim to build a culture of security awareness.
Information security can support good data governance and help organisations to demonstrate compliance with other aspects of GDPR.
Ensuring confidentiality, integrity and availability of personal data is key. Information security measures should seek to guarantee all three of these elements for systems and the data they process.
Organisations must also be able to ensure the resilience of their processing systems and services – think, for example, about business continuity and disaster recovery plans.
The ICO is required to consider an organisation’s technical and organisational measures in the context of imposing administrative fines.
As there is no ‘one size fits all’ approach, organisations should carry out a risk analysis in order to decide on what measures will be appropriate, and to document the findings. The risk analysis should take into account the requirements for restoring availability and access to personal data in a ‘timely manner’.
In relation to cybersecurity, meeting the requirements of the government’s Cyber Essentials Scheme is a good start, but organisations may need to go further depending on their processing activities. The ICO’s Guide contains various other links on cybersecurity measures and guidance. Pseudonymisation and encryption may be appropriate technical measures.
The ICO will have regard to the extent to which any sector-specific security requirements have been met.
Controllers must put certain measures in place when a data processor is involved. This includes in relation to contractual arrangements. See the ICO’s draft guidance on contracts and liabilities for controllers and processors.
GDPR requires organisations to undertake regular testing, assessment and evaluation of the effectiveness of their security measures. The results should be documented and any recommendations acted upon/safeguards implemented.
It is a GDPR requirement to ensure that staff do not process any personal data unless instructed to do so. Appropriate initial and refresher training should be provided.

A note on personal data breaches

However robust an organisation’s security measures, there is always the possibility that a personal data breach could occur at any time. The ICO’s Guide to the GDPR contains a section on personal data breaches. Data controllers in particular should be aware of the following key points:

GDPR requires data controllers to report certain types of personal data breach to the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. Section II of the WP29’s guidelines on personal data breach notification provides more information about when a controller becomes “aware”.
Failure to report a notifiable breach can result in a fine of up to 2% of annual global turnover or €10 million (whichever is the greater). It is essential to have an effective breach response plan in place in order to meet the notification obligations.
It is important to keep in mind that a personal data breach is not just about the loss or theft of personal data. It is broader than that and includes, for example: unavailability of personal data; accessing or passing the data on to someone else without proper authorisation; and alteration of personal data without permission.
In the event of a personal data breach, the controller must notify the relevant supervisory authority, unless it can demonstrate that the breach is unlikely to result in a risk to people’s rights and freedoms. Section IV of the WP29’s guidelines on personal data breach notification sets out the factors to consider when assessing risk.
GDPR requires certain information to be provided in a breach notification. This includes details of the measures taken or proposed to be taken to deal with the breach. If breach notification takes longer than 72 hours, reasons must be given for the delay. Communicating and cooperating with the ICO (or other relevant supervisory authority) is key. It is possible to provide the information in phases if it is not immediately available, but note that the ICO will expect the controller to, among other things, prioritise its investigation.
Where the controller decides that it does not need to notify a breach, it should still document its justification for reaching that conclusion. A record of any personal data breaches must be kept in any event, setting out the facts relating to the breach, its effects, and the remedial action taken.
If the breach is likely to result in a high risk to people’s rights and freedoms, those individuals must be directly informed without undue delay. Certain information must be provided to them.
As with security measures, the contract between the controller and the processor must contain certain provisions in relation to breach notification obligations. See the ICO’s draft guidance on contracts and liabilities for controllers and processors. A data processor must inform a data controller without undue delay as soon as it becomes aware that it has suffered a personal data breach.
Note that GDPR does not replace personal data breach notification requirements that organisations may be subject to under other legislation, for example the Privacy and Electronic Communications Regulations and the Security of Network and Information Systems Directive.

Processing personal data under GDPR – with a focus on ‘legitimate interests’

The basics In order to be able to process personal data, organisations must have a […]

The basics

In order to be able to process personal data, organisations must have a lawful basis/bases for each processing operation. If there is no lawful basis, the processing will be unlawful. There are six lawful bases under GDPR:

consent
contract
legal obligation
vital interests
public task
legitimate interests.

Importantly, public authorities will not be able to rely on ‘legitimate interests’ as a lawful basis for carrying out data processing when performing their tasks as a public authority. They will need to consider the new ‘public task’ basis for most of their processing.

The ICO says that organisations now need to review their existing processing, identify the most appropriate lawful basis and check that it applies – in many cases it is likely to be the same as the existing condition for processing used under the Data Protection Act 1998 (DPA). The ICO recently published a lawful basis interactive guidance tool, to help organisations assess which lawful basis is likely to be most appropriate for their processing activities.

Below are key points arising from the section of the ICO’s Guide on lawful basis for processing:

Failure to clearly identify from the start the most appropriate lawful basis/bases is a breach of GDPR. Organisations should try to get it right first time.
The lawful basis being relied on for each processing purpose, and the justification for relying on it, should be clearly documented to meet GDPR’s new accountability requirements. Organisations need to be able to demonstrate that the lawful basis applies.
Individuals must be informed by 25 May 2018 about the lawful basis for processing their personal data. See the right to be informed section of the Guide for more details.
The information should be included in all future privacy notices.
The choice of lawful basis can affect the availability of certain individual rights (for example, the right to object or the right to data portability). Note that the right to object to processing for the purposes of direct marketing will always apply. See the individual rights section of the Guide for more details.
The processing must be a targeted and proportionate way of achieving the stated purpose.
When deciding which lawful basis applies, organisations must remember that there is no ‘one size fits all’ approach. The ICO says that “no one basis should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the GDPR”. It also says that “you should always use the one that is most appropriate to the circumstances having considered the purpose of the processing”.
There are certain considerations to be taken into account if the original purpose for the processing changes over time or there is a new purpose.
Special provisions apply in relation to special category data (this is broadly similar to the existing concept of sensitive personal data) and criminal offence data – see the relevant sections of the Guide for details.

The ‘legitimate interests’ basis

The ICO recently published detailed guidance on legitimate interests, to help organisations decide when to rely on legitimate interests as the lawful basis for processing personal data, and when to consider the alternatives.

GDPR describes this lawful basis as processing “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.

The following key points arise from the ICO’s guidance on this topic:

The legitimate interests lawful basis is similar to the legitimate interests condition under the DPA, with some changes to the wording. The ICO says that it “could in principle apply to any type of processing for any reasonable purpose” and this basis “is likely to be most useful where there is either a minimal impact on the individual, or else a compelling justification for the processing”.
Organisations can consider the legitimate interests of any third party, including the wider benefits to society.
As the legitimate interests basis is more flexible and wide-ranging than the alternatives, those choosing to rely on it take on additional responsibility for considering and protecting people’s interests, rights and freedoms. It may be more difficult to justify why this basis applies.
There are three parts to the legitimate interests basis. Organisations should:
- identify a legitimate interest (the purpose test);
- show that the processing is necessary to achieve it (the necessity test); and
- balance it against the individual’s interests, rights and freedoms (the balancing test).
The ICO encourages organisations to assess each of these by carrying out a legitimate interests assessment or LIA – “a type of light-touch risk assessment based on the specific context and circumstances of the processing” – and to document the outcome. The LIA may identify the need to carry out a Data Protection Impact Assessment. LIAs, and the practical application of the three-part test, are considered in the section of the detailed guidance headed How do we apply legitimate interests in practice?
The balancing test is wider than a harm-based assessment. GDPR provides that if the individual does not reasonably expect the processing, their rights may override the organisation’s legitimate interests. This is an objective test. Examples of this, and more on the application of the three-part test, can be found in the section of the detailed guidance headed What is the ‘legitimate interests’ basis?
The section of the detailed guidance headed When can we rely on legitimate interests? provides specific examples of when this basis can be used and when it should be avoided.
The legitimate interests basis cannot be used to legitimise processing which is unlawful under other legislation (for example, e-privacy legislation requiring that individuals give their consent to some forms of electronic marketing).
More detail is required in the privacy notice to comply with the right to be informed.
The right to data portability does not apply to personal data processed on the legitimate interests basis.
There are a number of benefits to choosing legitimate interests, including: its flexibility and potentially wide-ranging application; and helping to avoid what the ICO describes as ‘consent fatigue’.

The new documentation requirement under GDPR

Instead of registering with the ICO every year, organisations will be required to maintain detailed […]

Instead of registering with the ICO every year, organisations will be required to maintain detailed internal records of their processing activities which must include specific information prescribed by GDPR. This is a new requirement and includes information such as: processing purposes; categories and recipients of personal data; retention schedules; and a description of the technical and organisational security measures taken.

The ICO says that, as part of the record of processing activities, it can be useful to document other aspects of compliance with GDPR and the UK’s Data Protection Bill. This includes documentation such as: records of consent; information required for privacy notices; Data Protection Impact Assessment reports; and records of personal data breaches.

Controllers and processors each have their own documentation obligations. See the ICO’s detailed guidance on documentation for the specific information that controllers and processors are required to document. Organisations with 250 or more employees must document all of their processing activities. There is a limited exemption for small and medium-sized organisations, which must still document information in certain circumstances.

The records must be kept in writing and made available to the ICO on request. Practically, this means that they should be easily accessible and in a format which can be easily disclosed to the ICO. The ICO says that the information must be documented “in a granular and meaningful way”. It has produced basic documentation templates to assist controllers and processors. The ICO’s detailed guidance on documentation sets out examples of what would and would not meet GDPR documentation requirements.

Records of processing activities must be in place by 25 May 2018. They will need to be regularly reviewed and updated, particularly after any significant changes to systems, procedures or the introduction of new products and services.

Organisations should: identify who within the business is responsible for collating and updating records and responding to ICO requests; and factor in the cost of any required changes to systems to create records, the cost of regular reviews, and the annual data protection fee payable to the ICO (see our separate briefing for details).

The ICO says that, in addition to ensuring and demonstrating compliance with other aspects of GDPR (such as drafting privacy notices, responding to data subject access requests and taking stock of processing activities), documentation can also improve data governance and increase business efficiency.

The new documentation requirement under GDPR is part of the universal principle of accountability, which requires organisations to demonstrate that their processing of personal data is GDPR-compliant. The ICO recently expanded the accountability and governance pages of its Guide. These set out, among other things, the technical and organisational measures that organisations can (and, in some cases, must) take to meet accountability requirements. Maintaining documentation of processing activities is one of these. Others include: adopting and implementing data protection policies; implementing appropriate security measures; and putting written contracts in place with data processors.

Contacts

Jeanette Burgess, Partner, Regulatory & Compliance

Jeanette Burgess
Partner
Learn More

Andrew Northage
Partner
Learn More