By Patrick Stewart
a) Legal background
Data Protection in the UK is currently governed by the Data Protection Act 1998. The statute implements the EU Data Protection directive of 1995.
The General Data Protection Regulations will come into force on 25 May 2018 and supersede the 1995 directive and the 1998 Act. They are regulations issued by the EU and have direct effect in all EU countries. The aim is to have a single set of regulations governing data protection throughout the EU. Having said this, there are some minor areas where individual countries will be able to exercise discretion.
Following the evocation of Article 50 to leave the EU, the Government’s Great Repeal Bill will bring the GDPR into UK law. In addition, the Government have submitted the Data Protection Bill to Parliament and it is currently being considered in the House of Lords. The Bill will also bring GDPR into UK law and fill in some of the discretions left to individual countries by those regulations.
The Government has made no secret of its support for GDPR. This is in large part to avoid interruption of data flow between EU countries and the UK post Brexit.
b) What stays the same
Much of the material in the Data Protection Act 1998 will reappear in the GDPR. In particular:
a) The definition of personal data is as set out in the 1998 Act. It is:
- Data which relates to a living individual who can be identified from that data or from that data or other information which is in the possession of, or is likely to be in the possession of the Data Controller;
The definition of Data has not been changed by the regulations but it has been enhanced in that it now includes an IP address
b) Sensitive Data. This includes racial and ethnic origins, political opinion, religious and other beliefs, trade union membership and sexual orientation. This remains but there is added to it, genetic data and biometric data.
c) The principles which permit processing of personal data are as set out in Schedule 2 to the 1998 Act and comprise. The relevant principles are:
the Data Subject has given consent;
the processing is necessary for performance of a contract to which the Data Subject is a party or taking steps at the request of the Data Subject with a view to entering into a contract;
processing is necessary for the compliance of the legal obligation to which the Data Controller is subject; and
the processing is necessary in order to protect the vital interests of the Data Subject.
The GDPR retains this and adds a further principle of accountability.
c) What changes
The GDPR introduces many new rights for Data Subjects. These are important and of course a right which benefits a Data Subject creates an obligation on the part of the Data Controller. The rights can be summarised as:
- A right to be informed. The Data Subject is entitled to the following information which must be provided at the time the data is collected:
i. Identity and contact details of the Data Controller;
ii. The purposes of the processing for which the personal data is intended as well as the legal basis for that processing;
iii. The recipient or categories of recipients of the personal data;
iv. Where applicable, the fact that the Controller intends to transfer data to a third country and the legal basis for the transfer;
v. The period for which the personal data will be stored although it is not possible to determine the criteria used to determine that period;
vi. The existence of the right to request from the Controller, access to and rectification or erasure of personal data or restriction of processing concerning the Data Subject or to object to processing as well as the right to data portability;
vii. The right to lodge a complaint with the supervisory authority in the UK, the ICO;
viii. Whether the provision of personal data is a statutory or contractual requirement or required necessary to enter into a contract and whether the Data Subject is obliged to provide the personal data and the consequences of failure to provide such data; and
ix. Whether the personal data will be subject to any automated processing and if so, the logic involved as well as the significance and the envisaged consequences of such processing for the employees.
This must be provided in clear, concise, intelligible language.
- The right of access – the Data Subject has the right to confirmation as to whether the Data Controller is processing information about him and if so:
i. The purpose;
ii. The categories of personal data concerned;
iii. The recipients or categories of recipients to which the data will be disclosed;
iv. The period over which it will be stored or if that is not possible, the criteria for assessing that period;
v. The right to rectification and erasure;
vi. The right to lodge a complaint with the ICO;
vii. The existence of any automated decision making processes.
a) The right of rectification – any inaccurate information must be rectified within a reasonable time.
b) The right of erasure, often referred to as the right to be forgotten. Where data is no longer needed for the purpose it is collected or if the Data Subject withdraws consent or the data has been unlawfully processed.
c) Right to restrict process – where the Data Subject raises a complaint with the Data Controller, the Data Controller should stop further processing of that data whilst that dispute is resolved.
d) Right to data portability – Data Subject has a right for his data to be transferred to a new controller in a machine readable format if this is technically feasible.
e) Right to object – where data has been processed without justification, the Data Subject has a right to object to this and the Data Controller can only process further if he can demonstrate compelling grounds for doing so.
f) Consent has been used to date as a “get out of jail card”. Data Controllers can include a paragraph in a contract or terms and conditions under which the other party consents to their data being processed and such consent is used as the lawful basis for processing. Under the GDPR, consent will have to be freely given, specific, informed and unambiguous. The intention is that the Controller should look at the other grounds for lawfully processing data and not simply rely upon consent. However, where consent is needed, it must pass the above test.
Rights of minors
The GDPR requires parental consent for minors. The regulations do not define a minor, leaving it to the national Government to decide although the regulations do state that the minimum age for a minor can be no younger than 13. The Data Protection Bill currently provides for the age of 13 to be adopted in the UK. This has caused some controversy in Parliament.
Data Subject Access Request
These largely remain as before but note there is no longer a requirement to pay a fee and it is expected that the request be dealt with without undue delay and within one month although this can be extended to three months if the request is very complex.
Accountability, as mentioned above, Companies need to assess the degree of risk to their processing and have appropriate policies in place to deal with that risk and to undertake data protection impact assessments. The emphasis will be on the Data Controllers to demonstrate compliance with the GDPR.
d) How to prepare
a) Access the ICO website. The advice given here is free, comprehensive and practical.
b) Undertake an audit. Many organisations will do this for you at a fee (sometimes a substantial fee!). What you would want to check is:
a. what information you collect and hold;
b. about whom;
c. why you are holding it; and
d. for how long.
c) Then assess whether those factors will pass the test of necessity. Do you need to hold information about certain individuals and do you need to hold it for a given period of time?
d) Consider privacy notices which are currently used and make sure they comply with the information which is now required to be provided.
e) Update consents if you are proposing to use these. They will have to be specific for the purpose intended. Remember that minors will need parental consent. Do you have systems for identifying minors?
f) For Data Subjects with the rights to portability, do you have technical expertise and the systems to deal with this?
g) Revise marketing procedures. If you are collecting information about clients and contacts for marketing purposes, do you need to retain that information? Can you justify it?
h) For employees, seek specific consents when needed.
e) How to prepare - direct marketing
The often used current system of direct marketing with an unsubscribe option will not be compliant under GDPR.
Organisations should seek specific consent from the individuals to whom they address direct marking. This would then amount to an unambiguous and positive indication that the individual is happy to receive communications in the future. It is in effect an opt in. I have noticed that professional organisations whom I deal with have sent opt in requests.
Good practice would be to seek such an opt in when the organisation first engages with the individual. You would need a well crafted form with options for the various types of marketing which could be directed to the individuals and the wishes of the individuals would, of course, have to be respected.
The alternative would be to rely upon a two stage test, being:
a) That the organisation has a legitimate interest in the communication; and
b) That this interest is not overridden by the individual recipient’s personal rights.
Sending direct marketing communications to individuals with no prior connection with the organisation are unlikely to be covered by this. Whilst the Charity will have an interest in sending the marketing communication, it may not be a legitimate interest and certainly is likely to be overridden by the personal rights of the individual recipient.
However where an individual has an existing connection with the organisation and has not indicated a wish to severe such connection, then the marketing which is in the legitimate interests of the organisation can be sent to that individual. By way of an example, if an individual has made a donation to a charity in the relatively recent past, it would be reasonable to assume that he would not object to receiving a newsletter about the charity’s activities and any forthcoming fund raising activities. It is certainly in the legitimate interests of the charity to provide that information. If however the individual contacts the charity and requests that he does not receive such communications in the future, then that would have to be respected as his personal interests now override the legitimate interests of the charity.
The maximum penalties proposed under GDPR for breaches are significant. They break into two tiers, the lower tier which is a maximum of €10,000,000 or 2% of global turnover for breach of obligations to maintain records, report breaches, to obtain consent in relation to children’s data, failure to appoint a Data Protection Officer. The higher maximum of €20,000,000 or 4% of global turnover can be imposed for breach of basic principles, ignoring Data Subject’s rights.
The fines are said to be imposed at a level which is to be effective, proportionate and dissuasive. However, the regulations also require regard to be had to the:
a. gravity, nature and duration of the infringement;
b. nature, scope, purposes of processing;
c. categories of personal data affected;
d. numbers of affected Data Subjects and level of damage suffered;
e. financial benefits to the breaching party;
f. intentional or negligent compliance history;
g. adherence to Code of Conduct or approved certification;
h. mitigation taken such as cooperation with the Authorities.
It will be interesting to see how the Authorities allow for these factors in the fixing of levels of fines.
For further information, contact email@example.com
For further details about our expertise in this area, please Click Here