With less than a year to go is your understanding and activity on the General Data Protection Regulation (GDPR) up to speed?
All organisations that collect, store and process personal data must be compliant with the GDPR by 25th May 2018.
There are no transitional arrangements after this date and commencement will not be affected by Brexit.
Maximum penalties for non-compliance are EUR20 million or 4% of global turnover (whichever is greater).
What is the GDPR?
The GDPR was adopted by the European Parliament in April 2016 and comes into full force on 25th May 2018, following a two-year transition period. As an EU regulation, it is not necessary for national governments to draw up local legislation; in the UK, will replace the 1998 Data Protection Act (‘DPA’).
The GDPR was conceived from three driving principles:
- to give individuals more clarity and control over how their personal data is used including stronger options over issues such as deletion and data portability;
- to bring data protection up to date with technology and data uses that were not foreseen at the time of the earlier 1995 directive; and
- to provide organisations with a simpler legal environment by introducing the same data protection law throughout the Single Market.
The GDPR applies to all organisations operating within the EU; it also applies to non-EU entities that provide goods or services to individuals within the EU or process their data. It applies not only to electronic data handling systems but also to other organised filing systems on paper or other media.
The GDPR will result in changes to the way organisations manage personal data; some of the major changes from existing UK legislation are as follows:
- The GDPR extends the definition of personal data… for example online identifiers. It also broadens the scope of sensitive personal data to encompass genetic and biometric data when processed to identify an individual. Well-designed systems ought to be able to accommodate such changes but, in the worst case, reclassification of data might require changes to algorithms and database tables.
- Where data processing relies upon consent, clear affirmative action will be required by the individual; pre-filled check boxes or inaction when completing a form will not be sufficient. Written documents or web pages must comply with new rules regarding clarity, language and contain information prescribed by the GDPR. Parental or guardian consent is required for children under the age of 16 years (though individual EU states can reduce this to 13).
- Data must be collected only for the purpose specified and procedures should be in place that it is accurate and, where necessary, up to date. Data in a form that permits identification of the individual must be kept secure and only retained for as long as required for the purpose it is collected for.
- The GDPR includes rules relating to automated decision making and profiling. These are generally similar to those under the DPA but there is clarification of the individual’s rights, the need to provide clarity and fairness through the process and need for consent.
- There are new rules for data governance including new rules for impact assessments, record keeping and staff training. Data procedures must be built on the principle of ‘privacy by design’ and meet the requirement that data should only be collected to fulfil specific purposes and be discarded when it is no longer required,
- There is a new principle of accountability and the requirement for effective data governance is tightened. Data protection should be embedded into the operation and procedures should be properly documented and available for audit. Specific rules are set out covering areas such as impact assessments and maintaining records of data processing activity,
- Organisations must respond to a Subject Access Request (SAR) within one month and, under GDPR, cannot charge a fee for the information (there are exceptions for manifestly complex, unfounded or excessive SARs). A SAR must confirm if the individual’s data is being processed, what data is held and details regarding by who, where, why and for how long the data will be used and its source (if not from the individual); in addition, information about how to correct, complain, request erasure or restrict processing of the data and what safeguards are in place if it is transferred outside the EU must be provided.
- To manage SARs efficiently and, generally, to be able to demonstrate good governance over data, organisations will need well-structured databases with sufficient metadata to provide a full audit trail showing – at individual level – how that data has been processed, transferred and protected.
- The relationship between data controllers (who acquire and use the data) and data processors (who handle data on behalf of controllers) will change. Historically, legislation put the onus for data protection onto controllers who then managed the activity of processors through contractual terms. Whilst not exempting controllers, the GDPR places specific liability onto processors and mandates new requirements for controller-processor contracts. As there is no transitional arrangement after May 2018, existing contracts must comply and may need renegotiation.
- The GDPR restricts the transfer of data to non-EU countries unless the Commission is satisfied that the country or applicable sectors within the country ensures adequate level of protection. After Brexit, the UK is unlikely to come under this restriction given the criteria used by the Commission to assess Non-EU countries.
- There is a new requirement to notify the data protection authority (the Information Commissioner in the UK) within 72 hours of data protection breaches. In addition, individuals must also be notified if this results in high risk though a timescale is not stipulated.
- Public sector bodies must appoint a Data Protection Officer (DPO); this is a key compliance role and the GDPR sets out responsibilities as well as rules regarding their position and authority within the organisation. These rules also apply to controllers or processors with over 250 employees whose core activity is large scale handling of personal data; although not mandatory, other organisations who appoint a DPO should follow the same rules.
These changes require significant action by UK organisations; even those that have already implemented current best practices have work to do.
Organisations need to review their current data protection arrangements in detail against the GDPR and instigate action to ensure compliance by 25 May 2018.
Both data controllers and data processors will need to act to meet their new obligations under GDPR.
Such action will fall into several stages:
- Data audit to fully verify the current position and identify what data is in scope of GDPR.
- Data mining to understand current data quality and identify specific enhancement, correction or erasure requirements.
- Review of current practices across the end-to-end ‘supply chain’ handling GDPR relevant data to verify protection arrangements and responsibilities at each point and identify corrective actions.
- Strengthening and demonstrating governance and data management arrangements including putting a DPO in place where necessary.
- Planning and initiating change initiatives and projects to achieve compliance.
- Execution of change projects taking into account interdependencies and the protection of data during the transition itself.
Some changes are likely to take a significant time to execute: for example, recruiting a DPO could take six months and restructuring a database or data processing system could take longer. As it is likely that an organisation will need to manage a number of initiatives, these will have to run in parallel to achieve compliance before May 2018.
The skills and knowledge required to review their current governance framework will be an issue for many organisations given the need to map their data, understand how and where it is processed and confirm its protection.
As all organisations are heading towards the same GDPR deadline, there will be competition for good resources so they must plan ahead and ensure that the scope and shape of this work is understood in good time.
The GDPR must be fully applied from 25 May 2018 and any organisation handling personal data must be compliant by that date.
There are many areas of impact covering not just the data and how it is consented, collected, stored and processed but also new rules for governance and accountability.
The breadth and depth of the GDPR impact is such that organisations need to plan and put in place the capacity and capability to make the required changes by 25 May 2018, so there is not a lot of time left and for many still a lot to do.