Our series of guides to the EU General Data Protection Regulation: the latest guidance on GDPRPrint publication
Welcome to the next instalment in our series of guides to steer businesses through the impending EU General Data Protection Regulation (GDPR), which applies in the UK from 25 May 2018. In this edition, we look at the latest guidance issued on GDPR compliance.
Is GDPR still happening? What about Brexit?
To quote the UK’s Information Commissioner in a recent speech: “If I could give you just one piece of advice today, it would be not to put this off. The GDPR is happening”. The Minister of State for Digital and Culture also recently reiterated that the UK will implement GDPR, which will start to apply part way through the planned two-year Brexit negotiations. He does not foresee any significant changes to UK data protection law post-Brexit – the government is keen to secure the unhindered flow of data between the UK and the EU. He also confirmed that parts of the UK’s Data Protection Act 1998 (DPA) will be repealed to ensure compatibility.
So, for now at least, it is full steam ahead. What is not clear is the extent to which the UK will choose to mirror any changes that the EU makes to data protection law post-Brexit. It is difficult to imagine that the UK will have a great amount of flexibility in this regard, if it wants to continue to ensure an adequate level of protection and to secure the free flow of data between the UK and the rest of the EU.
However, a possible spanner in the works is a recent ruling from the Court of Justice of the European Union (CJEU) that the UK’s Data Retention and Investigatory Powers Act 2014 (DRIPA) which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication, is incompatible with the EU e-Privacy Directive when read in light of the EU Charter of Fundamental Rights.
The controversial Investigatory Powers Act 2016 (IPA) replaced DRIPA at the end of 2016, despite opposition from privacy advocates, academics, the Law Society and major technology and telecommunications companies, who voiced significant privacy and data security concerns.
IPA, like DRIPA, has been dubbed the ‘Snooper’s Charter’, as it gives the government wide-ranging powers to monitor and intercept citizens’ communications and internet usage; as well as to compel technology companies to remove encryptions and hand over data to government agencies, in some cases without a warrant. It also requires them to collect and retain bulk records of customers’ phone and internet usage, and associated metadata, for 12 months. Human rights group Liberty has already raised sufficient funds through a crowdfunding campaign to request the court’s permission to proceed with a legal challenge to the new law.
By indirectly challenging the legality of the even more extensive and intrusive IPA, the CJEU has created a fresh Brexit dilemma: the UK government must decide whether to reopen the debate on IPA; or whether to retain this Snooper’s Charter and risk not meeting adequacy standards for the protection of EU personal data in a post-Brexit world.
Latest guidance from the Information Commissioner’s Office (ICO)
The ICO has updated its Guidance: what to expect and when webpage. This explains what it is doing to help organisations prepare for GDPR, with links to documents and guidance published to date.
Privacy notices, transparency and control
Recent materials include a revised privacy notices code of practice, which contains a short section on GDPR. The ICO recommends a blended approach, using a number of techniques set out in the code to present privacy information to individuals. The techniques also allow organisations to give individuals greater choice and control over how their personal data is used – these are key themes of the incoming legislation. The code contains a helpful privacy notice checklist.
The GDPR provisions on giving privacy information to individuals are more prescribed than those in the DPA and the data controller is required to take appropriate measures to provide information “in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”. The revised code contains a table summarising the privacy information which must be provided under GDPR. The ICO believes that organisations are well placed to comply with the new regime by following the code’s good practice recommendations.
Consent – GDPR sets a high standard
Consent for data processing will be more difficult to obtain under GDPR (and in particular for public authorities, employers and others in a position of power). For example: some form of clear affirmative action by the data subject is required; pre-ticked opt-in boxes are no longer acceptable (opt-out boxes can’t be used either); vague/blanket consent is not enough; clear records must be kept of how and when consent was given; it must be as easy to withdraw consent as it was to give it; consent should be separate from other terms and conditions and is presumed to be invalid if it is a pre-condition.
The ICO has very recently published its user-friendly draft consent guidance, which has gone out to public consultation. Comments are requested by 31 March 2017. The final two pages of the draft guidance comprise a checklist to work through in relation to asking for, recording and managing consent. The ICO intends to publish finalised guidance in May 2017.
Contracts and liability
Guidance on contracts and liability is expected to follow shortly.
The Article 29 Working Party (comprising representatives of the national data protection authorities, the European Data Protection Supervisor and the European Commission) (WP29) has published the first tranche of European-level guidance on certain aspects of GDPR: the right to data portability; data protection officers; and identifying a controller or processor’s lead supervisory authority. Guidelines on a wide range of other GDPR topics, including consent and profiling, are expected throughout 2017.
The right to data portability
This new right for individuals allows data subjects to receive personal data which they have provided to a data controller in a structured, commonly used and machine-readable format and to store it for further personal use on a private device. It also allows for that personal data to be transmitted from one data controller to another “without hindrance”. In addition to empowering data subjects and giving them more control over their personal data, this new right is aimed at fostering competition between controllers by facilitating switching between providers. It applies where:
- personal data is processed by automatic means on the basis of the data subject’s prior consent or the performance of a contract to which they are a party and
- the exercise of the right does not adversely affect the rights and freedoms of third parties.
The following key points arise from the WP29’s guidance:
- Data controllers must inform data subjects of the availability of the new right and ensure that they distinguish it from other rights (for example, the right of access).
- They should offer data subjects a direct download opportunity and allow them to directly transmit the data to another controller (for example, using an Application Programming Interface or API).
- The data should be transmitted in “a structured, commonly used and machine-readable format”; GDPR does not prescribe a particular format or require a data controller to maintain compatible systems, but it is clear that interoperability is the desired outcome and the data must be provided in a format which supports re-use. As much metadata as possible should be provided with the data, at the best possible level of granularity.
- A data controller answering a data portability request is not responsible for the processing by the data subject or by another controller receiving the data.
- A data controller receiving personal data is responsible for ensuring that: the data provided is relevant and not excessive with regard to the new processing; the data subject has been clearly informed of the purpose of the new processing; and the processing complies with GDPR.
- Data “provided by the data subject” is to be interpreted broadly and covers both data provided knowingly and actively by them, as well as the personal data generated by their activity (for example: search history; location data; raw data from fitness trackers). Similarly, data controllers must not take an overly restrictive interpretation of the words “personal data concerning the data subject”.
- There must be suitable procedures to identify the data subject making the request.
- Controllers cannot charge a fee for providing the data; unless they can show that the requests are “manifestly unfounded or excessive, in particular because of their repetitive character”.
- There is no prescribed time limit within which a data portability request must be answered; the guidance recommends that data controllers define a reasonable timeframe in the context and communicate it to the data subject.
Data protection officers
The appointment of a data protection officer (DPO) will be mandatory for public authorities/bodies as well as for data controllers or processors whose core activities comprise either:
- processing which requires regular and systematic monitoring of data subjects on a large scale or
- large-scale processing of special categories of data or personal data relating to criminal convictions and offences.
The DPO must be an expert in national and European data protection law and have an in-depth understanding of GDPR. The following key points arise from the WP29’s guidance:
- ‘Core activities’ means the key operations necessary to achieve the controller or processor’s goals; including where data processing forms an inextricable part of the controller’s or processor’s activity (for example, the processing of patients’ health records by a hospital).
- ‘Large scale’ is not defined (although a standard practice may develop over time). The WP29 recommends considering: the number of data subjects concerned; the volume and/or range of data being processed; the duration or permanence of the processing activity; and its geographical extent.
- ‘Regular and systematic monitoring’ is also not defined. However, the WP29 interprets ‘regular’ as meaning one or more of: ongoing or occurring at particular intervals for a particular period; recurring or repeating at fixed times; constantly or periodically taking place. It interprets ‘systematic’ as meaning one or more of: occurring according to a system; pre-arranged, organised or methodical; taking place as part of a general plan for data collection; carried out as part of a strategy.
- The DPO’s level of expert knowledge should be determined according to the processing operations being carried out and the protection required for the personal data being processed. For example: is the processing activity particularly complex; is a large amount of sensitive data involved; is personal data systematically transferred outside the EU?
- It is helpful if the DPO has knowledge of the business sector and the organisation. Do they understand the organisation’s processing operations/information systems/data security and protection needs?
- A group of undertakings may appoint a single DPO so long as he or she is “easily accessible” from each one – as a contact point internally, for data subjects and for the supervisory authority. This includes the availability of contact details and being able to communicate in the relevant language.
- It is possible to appoint an external DPO under a service contract. Individuals at the service provider may carry out the DPO’s tasks on a team basis, under the responsibility of a designated lead contact. The WP29 recommends that a clear allocation of tasks is set out in the contract.
- It is crucial to involve the DPO from the earliest possible stage in all data protection issues.
- The DPO is not personally responsible for non-compliance with GDPR. Responsibility rests with the controller or processor.
- The guidance contains a list of the resources that should be provided to the DPO, including active support of the DPO’s function by senior management, sufficient time to fulfil their duties, adequate support (financial, infrastructure, staffing) and continuous training.
- There are a number of safeguards built in to GDPR to enable the DPO to exercise their role independently.
Lead supervisory authority
GDPR introduces the concept of a ‘one stop shop’, so that businesses operating in more than one Member State will interact with a single national Data Protection Authority as their ‘lead supervisory authority’. Cross-border processing activity is the trigger. Essentially, this means either that the data controller/processor:
- is established in a single Member State and processes personal data in the context of that single establishment in the EU, but the processing substantially affects or is likely to substantially affect individuals in more than one Member State or
- is established in more than one Member State and processes personal data in the context of the activities of (at least some) of those establishments.
The following key points arise from the WP29’s guidance:
- ‘Substantially affect’ is not defined in GDPR and will be interpreted by supervisory authorities on a case by case basis. The context of the processing and its purpose, and the type of data, will be taken into account, in addition to factors such as whether the processing: causes, or is likely to cause, damage, loss or distress to individuals; affects or is likely to affect individuals’ health, well-being or peace of mind (or their financial or economic status or circumstances); and involves the analysis of special categories of personal or other intrusive data. Other factors are listed on page 4 of the guidance.
- Identifying the lead supervisory authority depends on determining the location of the controller/processor’s ‘main establishment’ or ‘single establishment’. To work out where their main establishment is, it is necessary to first identify their place of central administration in the EU – this is where decisions about the purposes and means of the processing of personal data are taken. Annex 1 contains a helpful checklist to assist in identifying the lead supervisory authority.
So, what should businesses be doing now?
- A crucial first step is to carry out a full information audit (including a data mapping exercise) and gap analysis so that you understand how data is being handled now and what needs to be done to bring existing mechanisms into line.
- Review existing consents, processes and records. Identify whether consent is the most appropriate basis for processing. If so, existing consents will need to be refreshed if they don’t meet the more stringent requirements.
- Think about whether the organisation already has the means to deal with data portability requests. If not, start investigating appropriate tools.
- Is appointment of a DPO mandatory for your particular organisation? If so, start thinking now about suitable candidates for the role. If it isn’t, would having a DPO make good commercial sense in any event?
- Identify and review any contracts with third parties where data processing is a relevant consideration.
- Start an awareness programme so that all parts of the business understand what is coming.
- Follow up with staff training which is appropriate to employees’ roles so that they understand the requirements of the legislation and the changes to policies and procedures which have been introduced to address these.
If you have any queries or concerns relating to the new legislation, or if you would like advice and assistance with undertaking any of the practical steps identified above, please do not hesitate to contact Jeanette Burgess, Andrew Northage or any member of Walker Morris’ Regulatory and Compliance Team.