General Data Protection Regulation (GDPR)
The General Data Protection Regulation is a brand new legal framework about to be introduced and will come into effect on the 25th of May 2018 in the European Union.
As EU Regulations have a direct effect in all EU Member States, the General Data Protection Register will take precedence over the national laws in every member state.
Its entire focus is the protection of personal data and is seen as one of the biggest shake-ups affecting how personal data is to be handled.
It potentially affects not just companies but any individual, or body that processes personal data of people based in the EU. This will include suppliers and other third parties a company might work with to process their personal data on their behalf. It includes all Member States of the European Union including the UK after Brexit in 2019 as GDPR will be incorporated into UK law. GDPR also affects any companies outside of the EU who offer goods or services to people in the EU or any company or body that monitors their behaviour within the EU.
For example, website hosting companies in the US who host sites accessible by individuals in the EU will be directly affected. GDPR will have huge implications for many businesses worldwide. It is thought that some organisations will need to employ a Data Protection Officer to ensure complete compliance. What is certain is that virtually everyone will need to put additional practices and safeguards in place.
With the very real prospect of incurring a fine up to 4% of your annual global turnover or 20,000000 Euros (whichever is the greater) knowledge of GDPR should be taken very seriously indeed.
GDPR – Key Points
- Will cover every business and for any third party who may process data for you, inside or outside of the EU
- Privacy considerations must be built-in everywhere and only data strictly required for stipulated purpose can be used
- Expands the rights of individuals and what information they must be provided with regarding your data processing activities
- Individuals will have the right to move, copy or transfer personal data
- Consent must be confirmed by, for example, a written statement. You must not assume consent or rely on pre-checked website boxes
- Expert knowledge of data protection law is paramount and having a specific Data Protection Officer may become obligatory. This could be an employee or via a third party service contact
- Data breaches must be reported to a local supervisory authority (such as the ICO in the UK) within 72 hours. In serious breaches, the individual must be also be informed
- Penalties could be up to 4% of annual global turnover or €20m (whichever is greater) Fines can be issued even if there is no actual loss of data
Informing people of their Individual rights
Current EU data protection legislation provides people with rights over their personal data and describes what information individuals have to be provided with by a business.This includes information about what that business intended to do with their personal data. This has been dealt with up to now by privacy statements on a website. The new General Data Protection Register significantly extends this and provides additional rights that must be communicated to individuals.
Individuals must be informed of the following (not exhaustive):
- The right to complain to supervisory authorities
- The right to withdraw their consent to processing of their personal data
- The right to access their personal data and have it rectified or erased (‘Right to be forgotten’) including via any third-parties that may have accessed it
- The right to be informed of the existence of any automated personal data processing
- The right to object to certain types of processing. For example – direct marketing and decisions based solely on automated processing
- The right to be told how long their personal data will be held for
- The right to be provided with details of the Data Protection Officer
- The right to ask non-profit organisations to exercise their rights and bring claims on their behalf, similar to a US style class action
In the case of collecting data based on the consent of individuals, EU data protection legislation has always required such consent to be freely-given, specific and fully informed. But with the GDPR, this has to be confirmed by a statement or other clear affirmative action. In other words, pre-ticked consent boxes on websites, or inactivity on behalf of the individual, even after reviewing a privacy statement, will not constitute consent.
Additionally, consent cannot be one-size-fits-all. A business will not be allowed to use an individual’s single consent at one stage in their business dealings as consent for other kinds of personal data processing. Separate consents are required for different personal data processing operations.
Finally, individuals must not only be informed that they have the right to withdraw consent at any time, it must be as easy for them to withdraw consent as it was to give it in the first place.
Existing consents given by individuals should be revisited to make sure they still comply with the General Data Protection Register. If there are conflicts or ambiguities then businesses will need to either establish a new lawful basis for processing the data, get new consent, or cease processing that personal data.
Right to move or transfer personal data
Individuals now have the right to transfer, copy or completely move their personal data from one place to another – even to a competitor. For example, if a playlist is generated for a user by a music service, and the user switches to a new provider, then the playlist can be taken with them. Therefore, the personal data needs to be in a structured, popular and machine-readable format so it can easily be utilised and shared. It should be recognised that the requirement to make data truly portable and simple to use by others is likely to need extensive and costly IT restructuring.
Much wider scope
The General Data Protection Register provides scope for liable cases for breaches by a business that collects the personal data and by any third party that processes the personal data on behalf of a business. This could be another business, organisation or individual.
A business should be aware thought that it cannot simply hand personal data to a third party; it must ensure that the third party is also compliant with the General Data Protection Register.
Plus, If a third party outside of the EU offers goods or services to individuals in the EU, or who monitors the behaviour of individuals in the EU, they too must comply with the General Data Protection Register. It should be noted that it doesn’t matter whether or not payment is made for the service, therefore charities and NGOs will also fall under the General Data Protection Register.
As the EU is a currently a trading partner of most countries, the General Data Protection Register’s wider scope means it has implications for many businesses worldwide as it will effectively require them to be compliant if they wish to operate in EU member states either directly or as a third party.
Proof of compliance
It is not enough to merely comply with the GDPR. Businesses must prove they are doing so. This is referred to as ‘accountability’ and requires the business to keep very detailed records. In particular, for companies who employ more than 250 people or smaller companies who employ fewer people but where data processing may result in a risk to the rights and freedoms of an individual, is not occasional data processing or might include Special Categories of Data ( ie Information on sexual orientation, health or religion) records need to be maintained that detail data processing activities, subject access requests, breaches, how consents are obtained, and Privacy Impact Assessments. This requirement also affects a third party who will process personal data on behalf of a business although not in as greater detail.
Privacy from start to finish
‘Privacy by Design’ clauses in the GDPR mean that both technical and organisational measures need to be in place throughout the lifetime of the personal data retention that match the privacy expectations of the individual from inception through to execution and cessation of such activity. This means that privacy considerations must be built into every aspect of data processing.
Only personal data that is strictly required for that purpose should be actually processed. This is referred to as data minimisation or ‘Privacy by Default’. Implementing ‘Privacy by Design’ and ‘Privacy by Default’ will involve continuous staff training, regular audits, minimising any data collected, restricting access to personal data to a ‘need to know basis’, and implementing measures such as substituting the identity of the individual in such a way that additional information is required to re-identify the individual and the encryption of data.
Mandatory breach reporting
In the event of a breach of the GDPR, businesses collecting personal data must report it to their local supervisory authority within 72 hours of becoming aware. Third parties processing personal data on behalf of a business must also report any breach without delay. If the breach poses a high risk to the individuals concerned, businesses must also notify the affected individuals without undue delay.
Data Protection Officers
Under the GDPR, businesses and any third parties who process personal data on their behalf will need to appoint a Data Protection Officer if:
They are a public body or;
If the core activities of the business or third parties involve monitoring of individuals on a large scale or;
If the core activities of the business or third party consists of processing special categories of personal data on a large scale,. This includes data relating to criminal convictions and offences.
The DPO needs to have expert knowledge of data protection law but doesn’t necessarily need to be an employee and could instead be employed on a service contact to fulfil the role. Details of the DPO will need to be communicated to a supervisory authority.
The penalties for non-compliance with the GDPR will be particularly tough – be up to 4% of annual global turnover, or €20m, whichever is greater. Fines may be issued even if there is no actual loss of data. Small businesses will not be excluded or have exceptions based on their size. An individual will be able to file a class action lawsuit requesting a formal regulatory investigation if a business does not comply with the GDPR.
Brexit- What will happen?
The UK will leave the European Union in 2019. Until then, as with all EU member states, the General Data Protection Register will apply to the UK.
In the announcement for new legislation following the last election, it was stated that new data protection laws will do the following:
‘… implement the General Data Protection Regulation and the new Directive which applies to law enforcement data processing, meeting our obligations while we remain an EU member state and helping to put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU’ – Source: Queen’s Speech, June 2017
After Brexit, it is possible (although it cannot be assumed) that the UK will be considered a country deemed to provide ‘adequate’ protection by the European Commission, so may not be affected by potential issues such as data protection transfer prohibitions.
The new UK legislation replaces the Data Protection Act 1998 (based on EU Directive 95/46)
GDPR – Basic principles
As with the current EU Directive 95/46, the General Data Protection Register restates three basic sets of rules relating to personal data as follows:
Data Protection Principles
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the individual concerned. It must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with this. Personal data collected must be adequate, relevant and limited to what’s necessary. It must be accurate and kept up to date, and every reasonable step must be taken to ensure that personal data that’s inaccurate is erased or rectified without delay. It must be stored in a way that identifies the individual for only so long as it’s needed, and it must be processed in a way that ensures appropriate security—including protection against loss, destruction, or damage, and unauthorised or unlawful access
Processing of personal data is only lawful if at least one of the following applies:
1. If the individual has given consent for one or more specific purposes
2. If it’s necessary for a contract to which the individual is a party, or will soon be a legal obligation must be complied with (e.g. submission of tax records by a business)
3. If there’s a task that’s in the public interest or is carried out in the interest of official authority
4. If it’s necessary for legitimate interests (or those of a third party) except where overridden by the interests, fundamental rights and freedoms of the individual.
The GDPR continues the general prohibition on sending personal data outside the European Economic Area to a country that does not provide adequate protection. At the time of writing, the countries deemed by the European Commission to provide ‘adequate’ protection are:
US companies that self-certify to the European Union US Privacy Shield arrangement (note: this does not mean the US as a country is considered to provide adequate protection), Andorra, Argentina, Canada (limited to PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.
Where no adequacy decision exists, transfers can only be made in limited circumstances, including on the basis of consent, the use of standard contractual clauses published by the European Commission or, in the case of inter-company transfers, the use of Binding Corporate Rules.
Get in touch to find out how the EU GDPR could effect your business.
This document is intended to be a very simplified guide only*.
*Not intended as legal advice. Every effort has been made to ensure that the information provided is correct and up to date, and is delivered on an “as is” basis without any warranties, express or implied. Sage Accounts Training will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.