GDPR Guide

GDPR may already be set in law, but it is not due to ‘go live’ until 25th May 2018. Therefore, it is likely to be an evolving subject, and this guide is simply meant as just that - a guide, looking at GDPR from the perspective of December 2017, before the law has actually been implemented. This guide is not definitive, but rather an educated perspective based on a collection of information from multiple sources about what is known about GDPR at the point of writing it.

The General Data Protection Regulation (GDPR) will come into force on 25th May 2018 and is a Regulation designed to set the guidelines going forward for the collection and processing of personal identity information by companies and organisations.

This new Regulation replaces the EU Data Protection Directive of 1995, and will be part of EU privacy and human rights law. The previous Directive meant that data laws were implemented individually in each country and were not consistent across the EU. GDPR should bring greater consistency and harmony by bringing all data protection elements under one law for all countries.

The Regulation from the EU, which consists of 99 articles, under the guidance of 6 privacy principles, covers data that is produced by an EU citizen, whether or not the company processing that data is located within the EU and it covers people who have stored data within the EU, whether or not they are EU citizens.

The UK was very involved in the drafting of the regulation which was designed to make companies take the issue of data protection more seriously and to strengthen the rights that EU citizens have over their data.

The Focus of GDPR

The focus of GDPR is on ensuring that businesses are transparent and protect individual privacy rights i.e. data will be viewed more as the property (and under the control of) the individual or user rather than the business or provider.

Who Does It Apply To?

GDPR applies to all UK and worldwide companies and organisations that store, process and use the data of EU citizens, and people “living in the UK”. This means that it also applies to:

• People from countries outside the EU who are currently working, or staying / on holiday in the UK.

What ‘Data’ Does It Apply To?

The kind of ‘data’ covered by GDPR includes data stored on / in / at:

• Paper filing systems and paper in filing cabinets and storage.
• Computer filing systems and databases.
• Mobile devices, and mobile storage devices e.g. USB sticks and external zip drives.
• PC and laptop hard drives.
• 3rd party outsourcing companies e.g. accounts, payroll, telesales / marketing, cloud providers.

GDPR covers organisations / groups that previously didn’t have to register under the Data Protection Act e.g. charities, sports clubs, and any group that holds personal information e.g. names, addresses, email addresses, telephone numbers, and even stored facial recognition images.

Also, one important difference with GDPR is that companies will no longer need to register with the ICO, no longer need to pay a fee to them, and no longer need to disclose to them what information they intend to store about data subjects (customers and others).

A Wider Scope of ‘Personal Data’ Under GDPR

GDPR will also cover a much wider area in terms of what counts as personal data.

Under the new Regulation, any data that could identify an individual such as genetic, mental, cultural, economic or social information will count as personal data.

What About Brexit?

GDPR is a ‘Regulation’ (not a Directive) and, therefore, will apply to all EU member states. The UK referendum result means that it will no longer be an EU member state in the near future. However, GDPR will come into force on 25th May 2018, before the UK’s Brexit matters are concluded, and since it applies to companies that deal with the data of EU citizens, it (or at least the UK’s own Data Protection Bill) will apply after Brexit.

UK Information Commissioner, Elizabeth Denham has said that she supports the UK adopting the EU regulation even post-Brexit because if the UK is to continue doing business with Europe, British businesses will need to share information about and provide services for EU customers.

The UK’s Equivalent of GDPR? The Data Protection Bill.

With this in mind, the UK is bringing in its own Data Protection Bill, which was announced in the Queen’s speech in June 2017, and was introduced to the House of Lords on 13 September 2017. This will allow UK businesses to continue doing business with the EU post-Brexit. GDPR will become law in the UK in May 2018, but the Data Protection Bill will enable UK businesses to make the transition after March 2019, the current tentative date for the UK leaving the EU (Brexit).

This new UK DPB will replace the Data Protection Act 1998, and will essentially transfer the EU’s GDPR into UK law. The Bill covers many exemptions, restrictions, and clarifications relating to GDPR. Crucially, the Data Protection Bill will mean that:

• It will be easier for people to see / obtain the data that organisations hold about them, and to withdraw consent for the use of their data.
• People can ask for their data to be erased / forgotten.
• Companies will need to ask for explicit consent to process personal data.
• More things will be included under the term ‘personal data’ e.g. IP addresses, DNA and even cookies (text files loaded onto computers during website visits).
• Re-identifying people from sources such as anonymous or pseudonymised data will be a criminal offence.

DPB Extra Powers - ‘Assessment Notices’

The DPB will give extra assessment powers to UK regulators that are not currently available unless they relate to government agency. For example, new ‘Assessment Notices’ will give the Information Commissioner’s Office (ICO) the powers to enter the premises of any organisation, and to audit its data security compliance e.g. by examining documents, equipment and processing of data.

If it is decided from the audit that an organisation is not DPB compliant, enforcement notices and a schedule for correction can be put in place. Fines can also be issued of the same level as GDPR e.g. 4% of an organisation’s worldwide revenue.

Just as GDPR compliance sounds challenging to businesses / organisations that are not prepared, it could represent an even bigger challenge to businesses (UK companies and UK-based multinationals) / organisations that have neglected data the enormous amounts of data held in file systems. For them, the DPD will doubtless come as a shock..

Keeping Audit Logs

Under GDPR something as simple as a published privacy policy will no longer suffice. Companies / organisations will have to keep an audit log of how they are compliant. Privacy must be by default, and companies / organisations must have concrete proof of their compliance.

GDPR - The Six Privacy Principles

With GDPR, there are 6 principles which give companies a broad, top level overview of which areas are covered by the new regulation. These principles are:

1. Lawfulness, fairness and transparency

Transparent: The subject must be told what data processing will be done. 
Fair: What is processed must match how it has been described
Lawful: Processing of the data must meet the tests described in GDPR [article 5, clause 1(a)].

2. Purpose limitations

Personal data can only be obtained for “specified, explicit and legitimate purposes” [article 5, clause 1(b)]. This means that data can only be used for a specific processing purpose that the subject has been made aware of and no other, without obtaining further consent from the subject.

3. Data minimisation 

Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. [Article 5, clause 1(c)]. This means that no more than the minimum amount of data should be kept for specific processing.

4. Accuracy

Data must be “accurate and where necessary kept up to date” [article 5, clause 1(d)]. Baselining (comparing current computer network performance to a historical metric) can help to ensure good protection, and protection against identity theft. Data holders should also build rectification processes into data management and archiving activities for subject data.

5. Storage limitations

The Regulator will expect all personal data to be “kept in a form which permits identification of data subjects for no longer than necessary”. [Article 5, clause 1(e)]. This means that businesses / organisations will need to stay on top of the job of removing any data that is no longer required.

6. Integrity and confidentiality

Processors of data will need to handle that data “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage”. [Article 5, clause 1(f)].

Obtaining Valid Consent For Information Use - A Challenge

Under the new regulations your company / organisation MUST be able to PROVE clear and affirmative consent to process personal data.

This means that your company / organisation must remember to explain clearly, and exactly what personal data they are collecting and how it will be processed and used. Your company / organisation will therefore need to make sure that this step is built into every occurrence of personal data collection without fail and that the proof is stored and can be accessed quickly if necessary. The information that you supply has to be human understandable i.e. descriptions of products / services / treatments supplied need to clear, and not based around internal codes / product codes.

Opt In Rather Than Opt Out

Under GDPR, people must be able to opt-in rather than opt out i.e. the options for receiving information (e.g. on web page contact forms) from companies must not be already ticked. The accompanying wording must also clearly state that ticking a box means opting in. Other implications of a change in the rules regarding consent are that:

• Companies / organisations will need to simplify their Terms and Conditions so that they are clear and informative, rather than being filled with confusing, baffling references and legalese. After 25th May, T&Cs and consent requests for the purposes of data processing will need to be intelligible, in an easily accessible form, and written using clear and plain language. It will also need to be easy for a person to withdraw their consent.
  
• Rather than requesting (on a website contact page) that people sign up for something (e.g. a newsletter) and asking for an email address and / or telephone number, the wording could be changed to ask people to sign up to be contacted, not specifying exactly how. It may also aid compliance for an auto-responding email to be sent, asking a person to confirm that they want to opt in. Information such as the date, time and IP address of the individual sign-ups should be recorded, because the data given (name, email and telephone number) identifies the person.
  
• You / your company will not be able to contact anyone, after 25th May 2018, that you do not have consent from. This, in theory, could also stop unsolicited emails and phone calls to you, if those companies / organisations choose to comply. It will also mean that you / your company can no longer use lists that you’ve bought to send emails or make calls. This could have implications for affiliate marketing i.e. if affiliates are contacting people on your behalf, you will need to be certain that they are GDPR compliant, and are doing so with consent.

Data Protection Impact Assessments - DPIAs

Under GDPR, Data Protection Impact Assessments will become an important (and mandatory) way of identifying, assessing and mitigating or minimising privacy risks with data processing activities. This could be particularly relevant when a new data processing process, system or technology is being introduced.

DPIAs also support the accountability principle. In other words, they help organisations to comply with the requirements of GDPR and demonstrate that appropriate measures have been taken to ensure compliance.
Under the GDPR, Data Controllers must conduct PIAs where privacy breach risks are high so that the risks to data subjects are minimised. This means that to minimise risks to data, subjects DPIAs will be needed.

The importance of the use of DPIAs in building compliance is underlined by the potential penalties of failing to do so. If companies / organisations fail to adequately conduct a DPIA where it is deemed to have been appropriate, this could result in fines of up to 2% of an organisation's annual global turnover or €10 million, whichever is greater.

Many Organisations Will Need To Appoint a Data Protection Officer (DPO)

If you are a public authority processing personal information, or if your main activity involves the regular and systematic monitoring of data subjects on a large scale, or if your main work involves the processing on a large scale of special categories of data you will need to appoint a Data Protection Officer (DPO).

This person will need to be very familiar with all aspects compliance with existing (and new) UK and the new EU regulations. This could therefore have an impact on staffing and resources (for training).
Your company / organisation as the ‘Data Controller’ will, therefore, need to make sure that your DPO is trained and certified. This will help with the company / organisations’ compliance, as well ensuring that correct practice is used by the DPO.

What Will The DPO Do?

The DPO’s role will include:

• Getting involved with all matters relating to the protection of data e.g. in the company and through relationships with 3rd parties.
• Consulting with Data Controllers on DPIAs (explained in the previous section), and providing instruction to Data Controllers on their obligations under GDPR.
• Monitoring compliance of the Data Controller’s policies with GDPR, the DPB, and any other relevant laws.
• Dealing with communications from data subjects about their rights and the processing of their data.
• Facilitating and carrying out audits.
• Attending meetings relating to data processing, and co-operating and consulting with authorities where necessary.

There Will Be a Common Data Breach Notification Requirement of 72 hours

Your organisation will need to have the capability and systems in place to enable it to monitor for, identify and notify the ICO of a data breach within 72 hours of discovering it.

The Right To View Data

Under GDPR, data subjects have the right to ask to view what data you store about them. If you have stored data in paper files, GDPR still applies and this may pose an obvious challenge. Also, whereas the Data Protection Act allowed businesses to ask for a nominal charge for subjects to see their data, under GDPR this will be free.

The Right To Be Forgotten

Your company / organisation must not hold data about a person for longer than is necessary, must not change the use of the data from the purpose for which it was originally collected (when consent was given for that specific purpose), and must delete any data about a subject at the request of that data subject.

This gives subjects the right to opt out completely i.e. ‘the right to be forgotten’. GDPR does not, however, over-ride all individual country / industry laws on this issue i.e. banking laws where some of your details may need to be retained.

Article 12 of the GDPR specifies that a request for access or destruction of personal data must be free of charge, easy to make and must be fulfilled without ‘undue delay’ and at the latest within one month (although it is currently understood that this may take longer in some cases).

This is one important way in which GDPR differs from previous data laws, and puts control back in the hands of the data subject.

The Right To Withdraw Consent

Companies and organisations must provide an accessible way for data subjects to unsubscribe from / opt out of receiving online and offline communications that they have previously consented to. The company / organisation must comply with the request, and record when the request was made.

The Right of Portability

Your customers / data subjects will have a ‘right of portability'. This means that, under GDPR, a person can force a company to transfer all data that is stored about them to a competitor and that company cannot refuse. This could be particularly challenging for large companies.

The Right Not To Be Profiled

Customers can ask companies / organisations not to combine their personal details with (for example) their purchase history to enable profiling that could take the form of e.g. targeted advertising. This could have serious implications for some aspects of marketing e.g. grocery retailing.

Liability Goes Beyond Data Controllers

Under GDPR it won’t just be the Data Controller (DC) who is held liable for data processing issues.

Liability and responsibility will extend to all organisations that touch the personal data of the subject / subjects.

This will help to ensure that companies / organisations take a close interest in all parts of the data storage and processing chain to ensure compliance all the way along, within the organisation, and in the choosing and management of 3rd party relationships.

Privacy Must Be Designed and Built-In To The System

Privacy by design means that your software, your systems and processes must be designed around compliance with the principles of data protection every step of the way.

If you use 3rd party companies e.g. cloud suppliers, you are reliant on them building-in privacy by design, such as encryption. Other elements of your systems, such as bespoke software written before privacy by design and using software that doesn’t use encryption is, therefore, likely to be non-compliant. Old systems may, therefore, need to be replaced.

The Regulations Apply Wherever You Are In The World

Under GDPR, any European data protection authority is able to take action against organisations regardless of which country they are based in.

The Penalties Are Much Bigger

The penalties for non-compliance with GDPR are much greater than the penalties for non-compliance with the existing Data Protection Act. Figures / analysis by Oliver Wyman, for example, show that FTSE 100 companies could face fines of up to GBP 5 billion for breaches of the GDPR. Had GDPR been in place for the past five years, the top listed UK companies could have been fined GBP 25 billion.

Under GDPR, failing to gain consent to process data or a breach of privacy by design, will mean that companies / organisations will be fined up to €20 million, or 4% of their global turnover (whichever is greater).

Under GDPR, fines will be levied using a tiered approach, depending upon the scope of the violation. Lesser violations e.g. records not being in order, or failure to notify the supervisory authorities, or not conducting a PIA where it was necessary, could mean that companies / organisations incur fines of 2 per cent of global turnover.

What Does All This Mean For Your Business / Organisation?

GDPR will mean that companies / organisations like yours will need to take a fresh look at how they deal with personal data in all aspects of operations, and what business relationships they have with 3rd parties.

GDPR requires privacy by default. Each EU citizen and person living in the UK will have the right to expect that data about them is stored securely and those storing the data e.g. companies / organisations, must be able to demonstrate compliance.

Hardly any data will not fall under GDPR which means you will need to take GDPR seriously and become very familiar with it and its implications. GDPR also means that:

• Your company will need to be clear about getting consent to use a person’s data for just the specified purpose and not regard silence or inactivity as consent.
  
• You may need to prepare to select a DPO for appointment, and your company may require a lot of training so that everyone understands basic compliance. This could mean that the kind of human error that could cause a data breach is minimised.
  
• Your data security policies may need to be changed and the changes promoted across the company. You will also have to develop highly effective systems for monitoring for any data breaches. There will also be the need to design compliance into all data handling and processing systems, and could mean starting the analysis and thought process now to ensure that you are ready for 25th May 2018.
  
• You will have to develop effective systems that ensure fresh consent is gained before you alter the way you use data, and that all data on a subject can be easily and quickly deleted on request.
  
• Extra staff training will be needed. All staff need to be given training about GDPR and how it applies to their work and the business / organisation, preferably at the induction stage. Records of that training must also be kept. GDPR training should also be repeated on a regular basis, and employee acknowledgement that the training has been received needs to be kept in order to show that the company / organisation is making the effort to comply.
  
• Mobile / portable devices that leave the building e.g. laptops will need to be encrypted / the data on the hard drive will have to be encrypted. USB sticks should also not be used in case they are stolen or lost. Company mobile phones will also need encryption to be enabled, without using a 3rd party service to do so.
  
• If your company provides data processing services for anyone else’s personal data, you will need to consider your liability and be compliant with the new EU regulations.
  
• Only having to deal with one supervisory authority rather than a different one for each EU state should simplify things for businesses like yours, although EU citizens will still be able to register any complaints to the data protection authority of their choice.
  
• GDPR provides an opportunity as well as a threat to your company / organisation. Becoming GDPR (and DPO) compliant could be a source of competitive advantage as other companies / organisations will be seeking to minimise their own risks by only associating with compliant partners / stakeholders.
  
• You will no longer be able to rely upon simply listing data subject details e.g. for mail outs / to load into mailing programs, on excel spreadsheets. Shared files in non-secure formats that don’t have audit capability i.e. to show who updated it last are unlikely to be adequate or compliant, could pose a security / privacy risk to your company / organisation.
  
• The Data Protection Act only covered Data Controllers as owners of the data, and outsourced controllers e.g. accounts or payroll, were your data processors and were, therefore, not part of your registration for the Data Protection Act. Under GDPR, any service that has access to, or that you are sending personal data to, has to be GDPR compliant, and a two-way binding agreement will be needed, stating that your data is secure with them.
  
• Using remote access / CRM / foreign suppliers could be an area of risk for your company as regards GDPR compliance. Companies / organisations may wish to consider avoiding the use of certain foreign suppliers in countries not recognised by EU as not having adequate provision of data privacy laws.
  
• If your company uses a cloud service e.g. Office 365, Azure or other, these services will need to be compliant by 25th May 2018.
  
• Under GDPR, business emails should not be sent from a personal email address e.g. via your personal mobile, because this could give data subjects a ‘right of access’ to your personal email account.
  
• Avoidance strategies suggested by some companies e.g. putting aside 4% of turnover to pay fines in order to avoid making the effort to be become GDPR compliant, or relying on cyber insurance (or even shifting excess cyber insurance capacity to the Bermuda market) are unlikely to be successful or sustainable tactics going forward.