By Patrick Stewart
1. Legal Protection
Data Protection in the UK is currently governed by the Data Protection Act 1998. The statute implements the EU Data Protection directive of 1995.
The General Data Protection Regulations will come into force on 25 May 2018 and supersede the 1995 directive and the 1998 Act. They are regulations issued by the EU and have direct effect in all EU countries. The aim is to have a single set of regulations governing data protection throughout the EU. Having said this, there are some minor areas where individual countries will be able to exercise discretion.
Following the evocation of Article 50 to leave the EU, the Government’s Great Repeal Bill will bring the GDPR into UK law. In addition, the Government have submitted the Data Protection Bill to Parliament and it is currently being considered in the House of Lords. The Bill will also bring GDPR into UK law and fill in some of the discretions left to individual countries by those regulations.
The Government has made no secret of its support for GDPR. This is in large part to avoid interruption of data flow between EU countries and the UK post Brexit.
2. Personal Data
The definition of personal data is as set out in the 1998 Act. It is:
- Data which relates to a living individual who can be identified from that data or from that data or other information which is in the possession of, or is likely to be in the possession of the Data Controller;
The definition of Data has not been changed by the regulations but it has been enhanced in that it now includes an IP address.
Sensitive Data – now referred to as Special Categories of Personal Data - includes racial and ethnic origins, political opinion, religious and other beliefs, trade union membership and sexual orientation. This remains but there is added to it, genetic data and biometric data.
3. Processing Personal Data
The principles which permit processing of personal data are as set out in Article 6 of GDPR and comprise. The relevant principles are:
the Data Subject has given consent;
Consent – must be freely given; specific; informed and unambiguous.
the processing is necessary for performance of a contract to which the Data Subject is a party or taking steps at the request of the Data Subject with a view to entering into a contract;
processing is necessary for the compliance of a legal obligation to which the Data Controller is subject; and
the processing is necessary in order to protect the vital interests of the Data Subject;
Processing is necessary for the purposes of the legitimate interests pursued by the Controller except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.
This envisages a balance between the legitimate interests of the Data Controller which wishes to process the data and those of the Data Subject. It is to redress this balance in favour of the processor that many organisations are requesting that Data Subjects on their books confirm their opt in to receive information.
4. Privacy Statement
GDPR create a right on the part of the Data Subject to be informed of following information which must be provided at the time the data is collected:
i. Identity and contact details of the Data Controller;
ii. The purposes of the processing for which the personal data is intended as well as the legal basis for that processing;
iii. The recipient or categories of recipients of the personal data;
iv. Where applicable, the fact that the Controller intends to transfer data to a third country and the legal basis for the transfer;
v. The period for which the personal data will be stored although it is not possible to determine the criteria used to determine that period;
vi. The existence of the right to request from the Controller, access to and rectification or erasure of personal data or restriction of processing concerning the Data Subject or to object to processing as well as the right to data portability;
vii. The right to lodge a complaint with the supervisory authority in the UK, the ICO;
viii. Whether the provision of personal data is a statutory or contractual requirement or required necessary to enter into a contract and whether the Data Subject is obliged to provide the personal data and the consequences of failure to provide such data; and
ix. Whether the personal data will be subject to any automated processing and if so, the logic involved as well as the significance and the envisaged consequences of such processing for the employees.
This must be provided in clear, concise, intelligible language. The above should be considered in the context of a privacy statement.
5. The Data Controller/Data Processor
The Data Controller is the individual or organisation which determines the purpose and means of processing personal data. This is likely to be the organisation which is dealing with the Data Subject. This could be by way of employer – employee, supplier – buyer or buyer – supplier. It also covers direct marketing organisations.
The Data Processor is the individual or organisation which processes the personal data on behalf of the Data Controller. This might be in circumstances in which an organisation outsources payroll or a direct marketing exercise.
The relationship between the Data Controller and Data Processor will be more regulated under GDPR. In particular, there will need to be a written contract between the Data Controller and Data Processor which would cover the following areas:
The subject matter and duration of the processing;
The nature and purpose of the processing;
The type of personal data and categories of the Data Subject;
The obligation and rights of the Controller.
The contract should include provisions requiring that the Processor:
Only act on the written instructions of the Controller;
Ensure that people processing the data are subject to a duty of confidence – this might require the inclusion of a confidentiality clause in all contracts of employment, consultancy arrangements with those individuals;
Take appropriate measures to ensure the security of processing;
Only engage sub processors with the prior consent of the Controller and under a written contract;
Assist the Controller in providing subject access and allowing Data Subjects to exercise their rights under the GDPR;
Assist the Controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and Data Protection impact assessments;
Delete or return all personal data to the Controller as requested at the end of the contract; and
Submit to audits and inspections, provide the Controller with whatever information it needs to ensure they are both meeting their obligations under the GDPR and tell the Controller immediately if they are asked to do something which infringes the GDPR or other data protection law.
Under Article 28 of GDPR, if a Data Controller is seeking to contract with a Data Processor, the Data Controller must ensure that the Data Processor is competent to deal with the matter and with all requirements of GDPR. A degree of due diligence will be required. The Data Controller will remain primarily responsible for ensuring that personal data is processed in accordance with the GDPR. The Data Controller cannot rely upon the breaches of the Data Processor, unless the Data Controller can demonstrate that it was not in any way responsible for the event that gave rise to the damage.
Existing contracts between Data Controllers and Data Processors will need to be reviewed to ensure that they are compliant with the GDPR with effect from 25 May 2018. New contracts will have to incorporate those terms as well.
For further information, please contact email@example.com
For further details about our expertise in this area, please Click Here