10 things you need to know and what they mean for your firm
Time is running out to prepare for what is being described as a major overhaul of the EU data protection regime. The General Data Protection Regulation (GDPR) will apply from the 25 May 2018, and you need to be ready.
The GDPR changes a number of things compared with the current 1995 Directive. The 10 most important are:
1. Expansion of the definition of personal data to include more categories of data within its scope. These include identification numbers, location, online identifiers and factors specific to the individual's physical, physiological, genetic, mental, economic, cultural or social identity. The definition of 'sensitive personal data' now includes genetic and biometric data.
2. Introduction of further limitations or additional conditions on some legal grounds for processing data (which largely remain the same). These include the use of consent and conditions on processing pursuant to a legal obligation or further processing. It also elaborates on what constitutes legitimate interests of the controller. Importantly, the GDPR expands the definition of 'consent' which has to be 'freely given' an 'unambiguous indication' given by a 'statement or by clear affirmative action.'
3. Extraterritorial reach when data controllers offer goods or services to, or monitor, data subjects in the EU. Therefore, companies based outside the EU will still need to comply with the GDPR when processing the personal data of anyone in the EU.
4. 72-hour data breach notification (from its detection). In cases where a breach poses a high risk to the data subjects, they will need to be notified 'without undue delay.'
5. Significantly higher penalties for data breaches, with a maximum fine of up to four per cent of a businesses' global turnover or €20 million.
6. Mandatory data protection officer (DPO) for public authorities or bodies and where the organisation's core activities involve:
a) regular and systematic monitoring of data subjects on a large scale or
b) large scale processing of special categories of data and/or data relating to criminal offences.
The DPO must have sufficient expert knowledge of data protection law, and should act independently and report to the highest level of management.
7. Stronger data subjects' rights, in particular the right to be forgotten or right of access, and new rights such as the right to portability.
8. Direct obligations for processors and more obligations for controllers (partly due to the expanded rights of the data subjects).
9. Accountability for data practices of controllers and processors. These include data protection policies, record keeping obligations, archiving and deletion, data management, data protection impact assessments and providing information to data subjects.
10. Privacy by design to force controllers and processors to think about privacy and data protection from the start to the end of any processing activity and at all levels of responsibility within an organisation.
So what does all this mean for your firm?
GDPR takes a risk-based approach to data protection. This means many of the measures undertaken by your firm will have to be interpreted internally with or without external guidance.
Although there are many ways to get ready for the GDPR (see ICO's 12 steps guide), you may want to consider:
- mapping what kind of data you collect and hold, and what data should be deleted, archived or anonymised
- the legal basis for processing this data - where you rely on consent, think about how you collect it and how you document it, bearing in mind it has to be freely given
- whether you need a data protection officer, especially if you process sensitive personal data (including data on criminal convictions)
- reviewing and amending your current privacy notices and information given to data subjects
- reviewing your relationships with subcontractors to clarify tasks and responsibilities - this is especially important with regard to allocation of liability in case of data breaches
- making sure you have in place internal procedures for managing data - this is important because:
- you will need to act quickly to notify a data breach, and having good systems in place will help identify its severity
- it will make the exercise of the data subject's right possible - in particular, complying with subject access requests (SARs) which have to be handled 'without undue delay' (and at the latest within one month of receiving the request). The latest case law in England and Wales, Subject access requests and litigation: unwelcome clarity?, is clear that it's the controller's responsibility to show it carried out a proportionate response to the SAR.
- you will need to demonstrate to the regulators that you have implemented the relevant measures to ensure compliance.
Where to get help and support
The GDPR will have a significant impact on the way your firm processes personal data and will require considerable effort to comply with. Fortunately, there is some guidance.
The Information Commissioner's Office (ICO) has published a guide on preparing for the GDPR.
The Article 29 Working Party, which gathers data protection regulators from 28 member states, has published guidelines on:
Later this year it's planning to issue draft guidelines on consent, data breaches and profiling.
The Council of Bars and Law Societies of Europe (CCBE), pan-European organisation representing the legal profession, has published:
The EU and national regulators have informed organisations of the new requirements and the support they will offer.