GDPR comes into force across the 28 EU member states and the other 3 countries of the European Economic Area (EEA) on 25th May 2018 – those three countries are Norway, Iceland and Liechtenstein. It replaces EU Data Protection directive and all national data protection legislation.
GDPR is generally associated with the storage and processing of personal and/or sensitive data. Breaches of GDPR can involve fines of up to 4% of a company’s annual worldwide turnover.
The GDPR applies to ‘personal data‘ meaning any information relating to an identifiable person (“a data subject”) who can be directly or indirectly identified in particular by reference to an identifier.
- Telephone Numbers
- Email Addresses
- Birth Date or Birth Location
- Employee Number
- Passport Number and details
- Driving License Number and details
- Credit/Debit Card Numbers or other personal financial details
- Salary details
- Health Reference Numbers
- National Insurance Number
- IP Addresses
- Location Data
- Personal Photographs
A piece of personal data does not need to have the person’s name for it to fall under GDPR as it could be used indirectly to identify a person.
Sensitive Personal Data
The GDPR applies to ‘sensitive personal data’ meaning data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data relating to criminal offences falls outside of GDPR and falls under National laws, it would also be considered as sensitive personal data.
If you are holding sensitive data on a person then you should seriously consider whether you should and how it could be justified to retain that sensitive data. Legal opinion should be sought.
Anonymous Data and Pseudonymous Data
GDPR does not apply to data that has been rendered anonymous as long as the individual cannot be identified from the data.
Pseudonymous data requires a key to identify the individual and would be considered personal data under GDPR. However, if the key is kept separate and secure then the risks are very low. GDPR encourages organisations to consider pseudonymising personal data in order to fulfil its obligations under “privacy by design” and “privacy by default”.
Data Controller and Data Processor
Data ‘Controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws.
Data ‘Processor’ means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Generally, the data controller under previous data protection legislation is highly likely to remain the data controller under GDPR. Similarly, GDPR generally does not change the meaning of data processor from previous legislation.
An organisation can be both a Data Controller as well as a Data Processor. An IT company performing services to its many clients would typically be considered a Data Processor to each client who is the Data Controller of the personal data. The IT company has employees and uses sub-contractors, their CV’s would be considered Personal Data that the IT company would need to own as a Data Controller under GDPR.
Data ‘Processing’ means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
It is important to identify personal data, create an inventory of what it is and where it exists. It is equally important to document the processes involving the processing of personal data as without this it would be difficult to identify whether a breach has or has not occurred. Viewing personal data on a screen is considered a data process.
A ‘Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
For a breach to occur there must be a baseline that defines the data processing of personal data, if no baseline then is all access of personal data a breach?
In order for the processing of personal data to be lawful, the controller requires either the consent of the data subject or another lawful basis.
‘Consent’ means any freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of his or her personal data. Consent must be given by a statement or a clear affirmative action.
A freely given consent will be difficult to prove even if consent has been granted. For example, a person in employment would normally provide consent to their employer because of the unknown consequences of not doing so. If consent is requested and not provided then the data controller should then consider – so what happens next?
Consent must also be specific. In GDPR there is no definition of the term specific, but consent would not be open ended. If there is a definition of Personal Data held and how it is processed and for how long the data is retained then this may be considered specific enough for an individual to provide consent in an informed manner.
The information provided in order to obtain consent must be clear and use plain language. “Silence, pre-ticked boxes, inactivity, failure to opt-out, or passive acquiescence do not constitute valid consent.”
There is a right for the data subject to withdraw consent. “Data subjects have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed of the right to withdraw consent. It must be as easy to withdraw consent as to give it.”
The Rights of Data Subjects
In order to ensure that personal data is processed fairly and lawfully, controllers must provide certain minimum information to data subjects, regarding the collection and further processing of their personal data. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Data subjects have the right to obtain the following:
- confirmation of whether, and where, the controller is processing their personal data;
- information about the purposes of the processing;
- information about the categories of data being processed;
- information about the categories of recipients with whom the data may be shared;
- information about the period for which the data will be stored (or the criteria used to determine that period);
- information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
- information about the existence of the right to complain to the DPA (Data Protection Authority);
- where the data were not collected from the data subject, information as to the source of the data; and
- information about the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on data subjects.
Additionally, data subjects may request a copy of the personal data being processed.
Data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
Data subjects also have additional rights, here are some:
- a right of rectification, if the data contains errors,
- a right of erasure (to be forgotten), to have all personal data erased,
- a right to restrict processing, for example, if the data is inaccurate, not being used for its original purpose, or the processing of the data is unlawful,
- a right to have their personal data transferred to another data controller.
GDPR provides that a processor of personal data “shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.“
A sub-processor in this case is any party that is not employed by the organisation acting as Data Processor. GDPR is considered to pass down the supply chain although it might be difficult to understand how adequate controls might be enforced if the sub-processor also uses a third party. If the Data Processor uses IT contractors then they would be considered as employees. However, the Data Processor will need to ensure that employees, IT contractors and sub-processors all individually understand data and security privacy, the ability to recognise personal and sensitive data, the do’s and don’t’s when processing that data and how to recognise a breach and what process is followed when a data breach occurs. Adequate training will need to flow down the supply chain. The training records should be maintained and renewed periodically.
Cross Border Data Transfers
If Personal Data is moved or is accessible by people or machines in another jurisdiction, i.e. outside of the 28 EU members states or the other three EEA nations then a cross border data transfer situation arises.
If this situation occurs then legal advice should be sought. Switzerland, Jersey, Guernsey, Isle of Man and Andorra are not part of the EEA but have received an Adequacy Decision from the Commission, but that may not exist in the future. Some other non-European countries have received an Adequacy Decision and more may do so in the future. But this position can change. Adequacy Decisions currently have a maximum life of 4 years.
Binding Corporate Rules (BCR)
The GDPR directly addresses the concept of BCRs. The competent DPA will approve BCRs as an appropriate mechanism for Cross-Border Data Transfers within a corporate group (including to members of that group that are established in third countries). If the BCRs meet the requirements set out in the GDPR, they will be approved, and no further DPA approval will be required for transfers of personal data made under the BCRs.
The Data Protection Authority must provide approval before one part of a corporation acting as a data processor can allow access to or transfer data to another part of its organisation which otherwise would be considered a cross border data transfer.
GDPR and Brexit
While UK is currently signed up to GDPR that may change in the future, basically we don’t know how GDPR will affect the UK after Brexit, i.e. beyond 31 March 2019. A reasonable assumption is that data privacy laws will be at least as stringent as GDPR. It is also worth noting that as GDPR is implemented in member countries there may be some deviations, for example; the age at which parents or guardians must provide consent for data associated with children to be processed (age 16 under GDPR, the proposed UK bill will make the age 13), France is proposing limitations with regard to the processing of genetic and biometric data.
The UK government has stated that it will comply with the GDPR, and that its compliance will not be affected by Brexit. On August 7, 2017, the UK Department of Digital, Culture, Media and Sport (the “DCMS”) published a Statement of Intent, in which it outlined the policy and objectives behind a proposed Data Protection Bill (the “Bill”), which was introduced in Parliament on September 13, 2017 and is currently making its way through both houses.
Post-Brexit the UK will become a third country with respect to EU law and will be subject to Article 45 of the GDPR. Data transfers will only be permissible if the UK provides an adequate level of data protection. The EU Commission will need to make an Adequacy Decision with respect to UK data protection laws. If this is not forthcoming then in accordance with Article 46 of the GDPR, cross-border data transfers could still take place if the recipient outside of the EU puts appropriate safeguards in place, which include standard contract clauses or binding corporate rules. These alternative measures would involve added costs for UK businesses.
The EU-U.S. Privacy Shield provides the legal framework under which transatlantic transfers of data may take place. Post-Brexit this will no longer apply. The European Union Committee of the UK House of Lords is proposing to mirror the approach taken by Switzerland which has both an adequacy finding by the EU Commission and a Privacy Shield Agreement with the United States which is identical to the EU-U.S. agreement.
1. White & Case GDPR Handbook
2. Shearman & Sterling LLP post on Lexology.com
3. Other sources widely available using a www search