23 MAY 2017

BY: DOUGLAS TAYLOR

Key terms:
• Natural person – A citizen or lawful resident of a European Union member state
• Personal data – Any data related to an identified or identifiable natural person
• Processing – Any operation performed on personal data including collection, retrieval, storage and transmission
• Controller – A person or entity with responsibility for processing the personal data of a natural person

Regulation (EU) 2016/679, also known as GDPR, comes into force on 25th May 2018. According to a recent survey conducted by Veritas, 57% of organisations are underprepared for GDPR . Respondents were either not preparing or not aware of any specific preparations being made. The same survey found that 18% of respondents thought non-compliance could put their organisations out of business and a further 21% thought it might result in layoffs. Gartner Inc. predicts that less than half of the firms impacted by the incoming regulation will be in compliance with GDPR by the end of 2018.

Non-compliance could result in fines of up to €20m or 4% of global annual revenue (whichever is greater).

So what is GDPR and why all the fuss?

GDPR aims to build and expand upon existing EU and UK legislation, namely Directive 95/46/EC and the UK Data Protection Act (1998) (DPA). At present, data protection laws across the European Union are relatively disjointed. Therefore, the principal goal of GDPR is to harmonise data protection laws across European member states, thus providing an environment for improved data collaboration, whilst protecting and, in fact, enhancing the rights of ‘natural persons’ around the ‘processing’ of their ‘personal data’.

Ultimate authority for the regulation resides with the European Commission and the European Courts of Justice. However, the UK supervisory body will be the Information Commissioner’s Office (ICO). As GDPR will be in force prior to Brexit, it will be transposed into English law (along with other EU derived laws) as part of the Great Repeal Bill and therefore is unlikely to be modified post-Brexit.
Who will GDPR apply to?

GDPR applies to any individual or organisation that processes personal data of natural persons and can be applied extra-territorially to any nation. Meaning that non-EU member states will also be subject to the regulation if they are processing the personal data of EU citizens. As a result, most, if not all, organisations in the UK will be impacted in one way or another irrespective of which sector they operate in.
As with the DPA, GDPR sets out several conditions that must be met for the processing of data to be lawful.
These include:

• Where there is consent from the data subject;
• Where it is necessary for the performance of a contract;
• Where it is necessary for compliance with a legal obligation;
• Where it is necessary to protect the vital interests of the data subject;
• Where it is necessary for the performance of a task carried out in the public interest; or
• Where it is necessary for the purposes of legitimate interests.

In addition, the regulation allows that member states can introduce exemptions for areas such as protection of judicial independence and proceedings, enforcement of civil law matters, public security and national security .

What are the key changes?

Consent:

GDPR expands considerably on the meaning of consent in relation to the processing of personal data (as opposed to that provided in the DPA) . Under the new regulation data subjects must provide explicit consent for a given process and this must be clear and involve affirmative action (moreover GDPR bans pre-ticked opt-in boxes). No longer will consent be buried in T&Cs, it will need to be made clear that the data subject has a right to withdraw consent at any given time and it needs to be easy for consent withdrawal to take place. Accurate records will need to be maintained so that it can be demonstrated where consent has been given and withdrawn i.e. there is much more of a focus on accountability under GDPR. Finally, where children’s (defined in the UK as anyone under the age of 13) personal data is being processed, consent will need to be obtained from a parent or guardian.

Rights of Data Subjects:

Again, GDPR builds on the rights of individuals that were laid out in the DPA and adds some additional ones:

  • The right to be notified of any data breaches within 72hours (and provided with suggested remedial action)
  • The right to query a controller around whether personal information is being processed and, if so, how
  • The right to correct erroneous data held by a controller
  • The right to request the deletion of personal data held by a controller, for example, where personal data is no longer necessary in relation to the process for which it was collected (there are exemptions from this where there is pending litigation and where personal data is held in the public interest)
  • The right to restrict the processing of personal data
  • The right to obtain personal data from a controller so that it can be passed to another controller
  • The right to object to certain processing of personal data
  • Rights in relation to automated processing
  • The right to withdraw from automated decision making - where the decision would have a legal impact
  • The right to obtain human intervention in the decision-making process
  • The right to an explanation about how an automated decision has been reached
  • The right to challenge or appeal an automated decision

What are the biggest immediate challenges facing firms because of GDPR?

As highlighted in the opening paragraph, perhaps the biggest challenge now facing firms is the limited amount of time before the regulation comes into force. Therefore, if it hasn’t yet happened, the primary focus should be on making sure that the appropriate people in your firm are made aware of GDPR with an appropriate education programme. If Gartner Inc. are correct and more than half of impacted firms are not compliant before GDPR comes into force, being able to demonstrate to the regulator that your workforce has been instructed about GDPR should only work in your favour.

If required, a Data Protection Officer should be appointed. Interpretation of what the regulation means to your organisation is key as well as gaining an understanding of what the potential impacts might be. Once this has taken place the current state can be compared to the target operating model. This will allow you to create your roadmap to compliance so that potentially high risk areas can be identified and begin to be addressed. Given the short timeframe, implementation of GDPR is likely to cause considerable strains on resourcing in the build up to 25th May 2018. It can also be noted that if your firm operates internationally, the determination of which supervisory authority you fall under becomes more complex.

Policies and procedures will need to be reviewed to ensure that they cover the enhanced rights of data subjects and staff will need to be educated in this regard. Whilst there are similarities between both old and new regulations, your procedures will need to be checked to ensure that, should a data subject make a request, you are able to perform the necessary action to a satisfactory level and within an acceptable timeframe. A crucial aspect of this will also be to make it clear when not to carry out a data subject’s request.

Locating personal data is likely to be one of the major difficulties facing a large number of organisations. At some stage a full audit of the information held by your organisation ought to be carried out to identify where any personal data might be located. Until this is done, compliance will be difficult to demonstrate to the regulator. One major hiccup at this stage might be the presence of ‘dark data’; personal data that is no longer being used and is potentially unsearchable (for example, in hard copy documents). However, there are technologies available which can assist with the process of locating dark data.

How are you currently obtaining consent for personal data to be used? Is this consent explicit for particular data processes? Once it has been established which natural persons need to provide consent, procedures for capturing this information will need to be reviewed to make sure that they are compliant with GDPR. In this regard GDPR is much more onerous than the DPA and consent needs to be fully tracked so that compliance can be demonstrated to the regulator. As mentioned previously, there is also the additional requirement that explicit consent for the use of children’s personal data must be obtained from a parent or guardian (and, again, that this should be recorded).

A Data Protection Officer will need to define how different types of personal data should be used. Once policies for the compliant processing, usage and storage of that data are in place, the data architecture should be reviewed to ensure that all data streams are handled in an appropriate manner. Suitable procedures should be put in place to ensure that proper data governance is upheld, thus ensuring that compliance is maintained. 32% of the respondents of Veritas’ survey were concerned that their organisations did not have the appropriate technology to properly manage their data. Serious consideration should be put into implementing data stream management software which would allow for much easier controlling of data streams, as well as flexible processing, transparency and data governance . Putting data stream management software in place would also allow for much more efficient management of personal data and, in the event of a breach, the necessary notifications would be much more straightforward to action. Key to this will be the detection, reporting and investigation of any personal data breaches.

There will be a requirement for privacy notices to be assessed to ensure that they are GDPR compliant. As part of this they will, for the first time, need to include the legal basis for the processing of personal data. The result of this for your organisation will involve an effort to locate non-compliant privacy notices and potentially carrying out a contract repapering effort. Depending on the size of this task for your firm it may be that technology can expedite and perhaps improve the accuracy of this process.

Finally, the ICO have released guidance on Privacy Impact Assessments (PIA) . PIAs are a mechanism for identifying privacy risks as early as possible thus reducing the potential impacts of those risks on your organisation. Therefore, the potential benefits from understanding how to conduct appropriate PIAs are great.
What opportunities might GDPR present?

On the face of it, there is not much time until GDPR comes into force and the demands of GDPR are great. However, by taking the right action there is also a possibility that benefits can be reaped. Through reviewing your data architecture and the way that personal data is handled, there might well be opportunities during that process to try and improve business efficiency . In addition, GDPR has created a chance to remove some of the ambiguity around certain key concepts that had not previously been included in the DPA; necessary because of the world that we live in today. Finally, there is the prospect that the altered landscape will provide an environment in which innovation in the area of data protection is encouraged; perhaps enabling some firms to distinguish themselves through trust in the way that personal data is handled.

References

Brighttalk.com. (2017). GDPR: How to Manage Risks and Reputation within Any Data-Driven Company. [online] Available at: https://www.brighttalk.com/webcast/8251/251249?utm_campaign=webcasts-search-results-feed&utm_content=gdpr&utm_source=brighttalk-portal&utm_medium=web [Accessed 18 May 2017].

Gartner.com. (2017). Gartner Says Organizations Are Unprepared for the 2018 European Data Protection Regulation. [online] Available at: http://www.gartner.com/newsroom/id/3701117 [Accessed 18 May 2017].

GDPR Associates. (2017). General Data Protection Regulation Exemptions and Derogations. [online] Available at: https://www.gdpr.associates/gdpr-exemptions/ [Accessed 18 May 2017].

Information Age. (2017). 5 Urgent Changes Needed to Tackle GDPR – Gartner. [online] Available at: http://www.information-age.com/5-urgent-changes-needed-tackle-gdpr-gartner-123466082/ [Accessed 18 May 2017].

Information Commissioner’s Office, (2017). Consultation: GDPR Consent Guidance. [online] Available at: https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf [Accessed 18 May 2017].

Information Commissioner, (2017). Individual’s Rights. [online] Available at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/ [Accessed 18 May 2017].

Information Commissioner’s Office, (2017). Preparing for the General Data Protection Regulation (GDPR). [online] Available at: https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf [Accessed 18 May 2017].
Information Commissioner’s Office, (2017). Conducting Privacy Impact Assessments: Code of Practice. Available at: https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf [Accessed 18 May 2017].

Investors.imperva.com. (2017). Imperva Survey Shows Most IT Security Professionals Are Aware of GDPR, Yet Only 43 Percent of Organizations Are Preparing. [online] Available at: http://investors.imperva.com/phoenix.zhtml?c=247116&p=irol-newsArticle&id=2266347 [Accessed 18 May 2017].
Twobirds.com. (2017). Guide to the General Data Protection. [online] Available at: https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird–bird–guide-to-the-general-data-protection-regulation.pdf?la=en [Accessed 18 May 2017].