Background and Brexit
The General Data Protection Regulation (GDPR) will apply with direct effect in all European Union (EU) Member States from 25 May 2018.
The UK Government has confirmed that Brexit is not expected to affect the commencement of the requirements of the GDPR in the UK. The first reading of the UK’s proposed Data Protection Bill (Bill) took place on 13th September 2017. Following its third reading in mid-January, the Bill was presented to the House of Commons on 18 January 2018. At the time of writing the date of the second reading in the House of Commons was still to be announced. The Bill is intended to replace the existing Data Protection Act 1998 and implement the GDPR into UK law, whilst exercising a number of permitted derogations from the GDPR.
Although it is unclear when the Bill will receive Royal Assent, it is clear that the UK is keen to ensure equivalence and adequacy with the GDPR post Brexit. Companies should therefore continue to plan for the implementation of GDPR standards in light of the impending Bill.
An overview of the provisions and requirements of the GDPR
Territorial scope: The GDPR will apply to non-EU establishments where data about data subjects in the EU is processed in connection with “offering goods or services” to those European data subjects or “monitoring” their behavior. Non-EU entities that are subject to the GDPR will be required to designate a representative in an EU Member State (unless limited exceptions apply).
Fines: The fines under the GDPR are significantly higher than those which can be imposed under current law (up to £550,000 under current UK law). Under the GDPR, fines for breaches of certain important provisions can amount to up to €20 million or 4% of global annual turnover, whichever is the greater. Fines for breaches of other provisions can amount to up to €10m or 2% of global annual turnover, whichever is greater.
Data governance and accountability: The GDPR places onerous accountability obligations on organisations to demonstrate compliance with the GDPR. Some of the elements that must be demonstrated are explicit (whilst some are implied by the language of the GDPR). The net effect of the additional requirements is that all large organisations will need to implement a formal data protection programme to demonstrate data protection is taken seriously.
This will include having policies setting out how to comply coupled with training to bring those policies to life and taking steps to show that data protection compliance has been taken into consideration and the organisation has implemented appropriate compliance measures in relation to its data processing activities. Organisations will also be required to maintain a formal, written record of processing activities under its responsibility.
A data protection officer will also need to be appointed in certain circumstances. A data protection officer is responsible for monitoring compliance, advising the organisation on compliance with the GDPR and acting as the main point of contact in relation to data protection compliance.
Data processors: Data processors are organisations which process personal data for and on behalf of another organisation (the data controller). Under existing law, they have no statutory obligations or liability. The GDPR changes this – data processors will have direct obligations under the GDPR. These include requirements to implement technical and organisational security measures to protect personal data, an obligation to keep a register of data processing activities, direct obligations to comply with the rules relating to the transfer of personal data outside of the EU and restrictions on their ability to engage sub-processors obligations. Data processors can be liable for fines from data protection regulators and claims from individuals whom the personal data they process relates to (data subjects) where they breach their obligations under the GDPR.
Consent: The GDPR includes new limitations on the use of consent as a ground for processing personal data. This includes requirements that consent language is separate from other information and is unbundled. It also requires that it must be as easy to withdraw consent as to give it.
Fair processing notices: The information that is required to be given to data subjects is extended to include providing details of the grounds that are used to justify processing, the period for which the personal data will be retained, the mechanism of the export (see below) if the data exported outside the EU and the source of the data (if not the data subjects themselves).
The notice must highlight that consent may be withdrawn, the existence of the data subject rights (see below) and the right to lodge a complaint with the data protection regulator.
Data subject rights: The rights that data subjects have in respect of their personal data have been enhanced under the GDPR, including rights to have personal data transmitted to themselves or another data controller, to require the controller to erase personal data in some circumstances and to more information about a data controller's processing (export solution, storage limits) through a subject access request. Organisations must respond to requests from data subjects within a shorter time period than under current law.
Personal data breach: Under the GDPR, organisations must notify the data protection regulator within 72 hours of the breach and, in certain high risk circumstances, the individuals to whom the personal data relates without undue delay. Organisations must also maintain a personal data breach register.
Export of personal data: The shape of export restrictions remains similar as under current law in that personal data cannot be exported outside of the European Economic Area (EEA) unless the recipient non-EEA country has either been deemed by the European Commission (Commission) to offer adequate data protection safeguards or a valid export mechanism has been put in place (e.g. Commission approved model clauses or Binding Corporate Rules). Failure to comply with the export rules can attract the highest 4% of worldwide turnover fines.
Guidelines on automated individual decision-making and profiling for the purposes of the GDPR
On 3 October 2017, the Article 29 Data Protection Working Party (Working Party) adopted guidelines on automated individual decision-making and profiling for the purposes of the GDPR. The GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. The purpose of the guidelines is to clarify those provisions.
Guidelines on personal data breach notification under the GDPR
On 3 October 2017, the Working Party adopted guidelines on personal data breach notification under the GDPR. The guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these new obligations. They also give examples of various types of breaches and who would need to be notified in different scenarios.
Guidelines on data protection impact assessment
On 4 October 2017, the Working Party adopted revised guidelines on data protection impact assessment and determining whether processing is “likely to result in a high risk” for the purposes of the GDPR. In order to ensure a consistent interpretation of the circumstances in which a data protection impact assessment is mandatory (Article 35(3)), the guidelines clarify this notion and provide criteria for the lists to be adopted by Data Protection Authorities under Article 35(4).