Latest IT law, outsourcing and e-commerce legal updates
Ready, Steady… GDPR Ready?
Posted 23rd January 2017 by Shazanna Safdar-Karim, Director
Despite being on the “radar” for years, GDPR is no longer far in the distance. From May 25, 2018 GDPR will be applicable in the UK and brings with it significant changes to the existing regime and if it is not complied with the sanctions are substantial. It will affect most businesses regardless of industry and size. The first tranche of guidance on new aspects was published by the Article 29 Working Party in December, 2016. It is time to start planning!
Does Brexit mean this is irrelevant?
No. The UK’s anticipated exit from the EU is estimated to be in 2019 or beyond. GDPR is applicable to the UK from 25 May, 2018.
What are the key changes?
1. Increased penalties for breaches.
National Data Protection Authority may levy fines of:
(a) up to 2% of annual worldwide turnover of the preceding year or 10 million euros (whichever is greater) relating to data security and breach notification, and
(b) 4% of annual worldwide turnover of the preceding year or 20 million euros (whichever is greater) relating to breaches of the data protection principles.
The ICO is also likely to call for more effective deterrents to ensure data controllers comply with their obligations (such as additional powers for non-consensual audit, fines, and bringing sections 77 and 78 of the Criminal Justice Act into force which would allow custodial sentences of up to two years for those convicted of illegally obtaining and selling personal data).
2. Mandatory Breach Reporting
Under GDPR there are strict obligations which require data controllers to notify the national Data Protection Authority of all data breaches without undue delay and where feasible within 72 hours (unless the data breach is unlikely to result in risk to individuals).
Data processors will be required to notify their data controllers of any breach.
3. New Compliance Obligations (Data Processors)
GDPR essentially changes the relationship between data controllers and data processors and introduces new compliance obligations which are directly enforceable against data processors.
As well as reporting breaches to data controllers, data processors must:
(a) maintain a written record of processing activities carried out on behalf of each controller;
(b) designate a data protection officer where required;
(c) appoint a representative (when not established in the EU).
4. Stricter Obligations for Data Controllers.
GDPR will impose stricter obligations on data controllers. There is a higher consent standard required (clear affirmative action establishing a freely given, specific and unambiguous indication of the individual’s consent to their personal data being processed). Public authorities will no longer be able to rely on the legitimate interest condition to process personal data. Overall privacy notices will need to be more detailed.
Data controllers will need to put in place more detailed contractual provisions with data processors and restrict the data processor’s ability to appoint sub-processors (without the data controller’s consent).
5. Reach Beyond the EU
There is a wider territorial scope under GDPR which goes beyond the EU. Non-EU data controllers and data processors must comply with GDPR if they:
(a) offer goods or services to data subjects in the EU (even if such goods or services are free of charge);
(b) monitor data subjects’ behaviour in the EU.
Approved codes of conduct and certification mechanisms will be required under GDPR to legitimate data flows to non-EU jurisdictions.
6. Employee Monitoring
Mandatory privacy impact assessments will be introduced under GDPR prior to the adoption of new processes and technologies which are “likely to result in a high risk to the rights and freedoms of natural persons”.
7. Enhanced Individual Rights
As well as higher standards of consents and more detailed privacy notices, it is advisable to consider implementation of procedural changes for responding to data subject access requests, the new data portability rights, rights in relation to profiling and the right to be forgotten (a right to erasure) as well as a right to restriction on processing.
8. Mandatory Data Protection Officer
A Data Protection Officer must be appointed by any organisation for which:
(a) processing is carried out by a public authority;
(b) the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale, or
(c) the core activities consist of processing.
What do I need to do?
- Brief your board, if you haven’t already.
- Even if you are not in the EU, check whether you are affected (or any of your group companies are affected) given the new territorial reach.
- Select a team with specific roles and responsibilities (e.g. training, drafting template notifications).
- Consider whether you require a Data Protection Officer, and if so, within which function you would like it to sit (IT, Legal, Marketing, elsewhere).
- Review technical and organisational data security measures.
- Develop and implement a data security breach response plan.
- Review your procedures for transferring data outside of the EEA (and continue to keep them under review).
- Review and amend your procedures relating to individual rights.
- Review arrangements with data processors and data controllers and consider applicable updates.