Last month, The IASME Consortium, launched the first in a series of informative updates on the forthcoming General Data Protection Regulations. Our regular updates, brought to you in collaboration with leading law firm Harrison Clark Rickerbys (HCR), will run right through to the implementation of the Regulations.
For our February update IASME asked HCR’s Robert Cobley (pictured), Partner, Commercial, to provide us with some of the detail behind the GDPR headlines.
IASME : When we speak of GDPR there appears to be one fact everyone is talking about. It seems a strange place to start, but could you tell us more about the potential penalties for non-compliance?
RC: It’s actually a very relevant place to start as the headline you’re speaking about demonstrate how seriously businesses need to take these Regulations. It’s also the very reason many businesses have already started to assess any gaps and implement the actions necessary to become compliant.
A potential fine of €20m or 4% of annual worldwide turnover for more serious legislative breaches is certainly an attention-grabbing headline but it is not the only sanction. Non-compliance with data protection law will no longer be seen as a low risk issue for businesses. As well as greater fines, Supervisory Authorities will have certain investigative and corrective powers including the right to conduct audits, require information to be provided and gain access to premises. Whilst there is no personal liability of directors set out in the GDPR for breaches of the Regulation, the UK Information Commissioner did recommend personal liability and accountability of company directors for data protection violations at a parliamentary meeting discussing the Digital Economy Bill last year. If this position gains wider support and is introduced, liability of directors could be very significant.
If GDPR isn’t already on your business Boardroom agenda, then I would recommend you do so as soon as possible. The Information Commissioner, Elizabeth Denham, summed up the magnitude of GDPR during a January speech to the Institute of Chartered Accountants in England and Wales, when she described them as, “a game changer for everyone.” I can’t think of any better words to emphasize the importance of these Regulations.
IASME: You’ve mentioned ‘Supervisory Authority’ and I’m aware there are similar phrases used in the Regulations. Could you briefly summarise what the key common terms mean?
RC: Certainly. There are some key terms used in these Regulations which businesses need to be aware of. Many businesses will already be familiar with the phraseology from the current Data Protection Act.
This is simply the Information or data that identifies a natural person (data subject). It could be anything from an identity number through to locational data.
Whether automated or manual, processing includes the collection, recording, structuring, adapting, altering, retrieval, consultation, use, disclosure, transmission, dissemination of data.
Is the natural (human) person or legal (organisation) entity, public authority, agency or other body processing personal data on behalf of controller.
natural or legal person, public authority, agency or other body which determines the purposes for, and means of, processing personal data.
the individual(s) who can be identified directly or indirectly by reference to an identifier such as name, id number, location data, online identifier or factors specific too physical, physiological, genetic, mental, economic, cultural or social identity.
The body responsible for upholding the GDPR in each EU country. In the United Kingdom, this will be the Information Commissioners Office (ICO), currently under the direction of the Information Commissioner, Elizabeth Denham.
IASME: Why should businesses start preparing for GDPR now when the regulations don’t come in until May 2018.
RC: It is true that the implementation date is still over a year away. The GDPR have been described by the Information Commissioner as a” 21st century approach to personal data which places the onus on business to change their entire ethos to data protection”. Dependant on a business’ starting position, I think that statement indicates the potential workload that could be involved.
Of course, we currently have the Data Protection Act however, GDPR builds on the existing legislation significantly. Although the implementation date may seem a long way off, this lead in period gives business suitable notice to digest the requirements and give due consideration to any actions necessary to meet the obligations. It also provides sufficient time for business to plan strategically by ensuring costs are budgeted for and any changes to processes and procedures can be integrated into the business with minimal disruption to their daily operations.
There is a downside to the implementation timescales – Brexit! There are some claiming that GDPR won’t apply to UK because of Brexit. Don’t be fooled. The UK will be subject to GDPR. Once Brexit occurs, it has been strongly inferred by ICO that the UK will retain GDPR or introduce an equivalent of equal robustness. Brexit will not be an excuse for non-compliance.
IASME: These Regulations are specific to ‘data’ so what types of data will be subject to protection?
RC: The definition of personal data is generally unchanged under the GDPR however, there is specific inclusion of location data and online identifiers such as IP addresses and cookies. Sensitive personal data will also be subject to additional protections and restrictions. All of this may increase overall compliance obligations of businesses.
Data which has undergone pseudonymisation yet still identifies a person is covered. However, if treated appropriately, it is also true that ‘pseudonymisation’ can also reduce risk thus helping businesses meet their GDPR obligations.
IASME: You mentioned earlier that GDPR takes into account the way businesses currently operate. There will be few, if any, businesses which do not process data. What will business be required to do to process data in a way that complies with GDPR?
RC: ‘Freely given consent’ should be at the fore of your thinking. You should be able to demonstrate that consent to process data has been freely given and that your request for that consent was specific, concise, informed, clear and easy to understand. If you are seeking consent from a child, then that request must be in a language they can understand. Any consent you receive cannot be subject to unfair terms and, equally, an individual should be able to refuse or withdraw consent without penalty.
The reason why you are collecting the data should be explicitly outlined at the time it is being given. If data is being gathered for multiple purposes, consent must be given for all purposes for which data will be used.
Consent provided by a written statement, by electronic means or through oral consent are all acceptable. Consent can still be given by use of tick boxes on a website however the tick box should not be ‘pre-ticked’. Silence or inactivity do not constitute consent.
When the data itself is being ‘processed’, it should be done so in a manner which ensures appropriate security, confidentiality and guards against unauthorised access. You will also need to consider processing data in line with the ability of your network or information security system to resist accidental, unlawful or malicious actions that may compromise availability & confidentiality of stored or transmitted data.
IASME: You’ve outlined some of the issues that businesses need to consider. If we look at GDPR from the individuals, or Data Subjects, viewpoint, what rights do they have under the Regulations?
RC: The data subject or the individual(s) whose data is being processed is central to GDPR. These Regulations are designed to protect the fundamental rights and freedoms of persons, their personal data and the processing of that data.
Every one of us has the right to the privacy, protection and accuracy of our personal data. The regulations allow for enforcement of those rights in relation to our data being shared over ever increasing international borders and technological advances, all of which allows businesses to make use of our data on an unprecedented scale.
In processing the data, you must have facilities available for individuals to exercise their rights under GDPR, which includes the ability to request and gain access to their personal data; free of charge. They also have the right to object to and/or erase data. You, as the person or entity holding the data, must respond to these access requests in a reasonable time and within a month. Where the data subject does request access, you must take reasonable measures to verify their identity. You cannot retain personal data for the sole purpose of being able to react to potential requests.
When processing data, you must make persons aware of any risks and rules. The data you collect should be adequate, relevant and necessary for purpose proposed. Data held should be time limited, with the time line reviewed periodically and erased at end of period. If data held is inaccurate then reasonable steps must be taken to rectify or delete.
GDPR introduces the ‘right to be forgotten’. The data subject has the right to have data erased where it is no longer necessary in relation to purpose for which it was collated or, where consent is withdrawn. This erasure also includes links, copies or replications and will require businesses to ensure that these rights of data subjects are properly dealt with. In practice, these requests for erasure may well be difficult to manage, not only from a technical perspective.
It is clear that data controllers such as search engine providers in particular will fall within the GDPR’s remit but it is not entirely clear as yet the extent to which other internet intermediaries will fall within the category if they process data on behalf of a user and are not strictly data controllers.
IASME: We spoke about the penalties for non-compliance at the start of this interview. Why are the penalties in GDPR so much more significant than under the current Data Protection rulings?
RC: Whilst on first reading the penalties to businesses sound onerous, we must also remember that GDPR will be protecting us as individuals where we are the ourselves are the ‘data subjects’.
In essence the consequences of mismanaged data can be both dramatic and traumatic and include risk to rights and freedoms, reputational damage, discrimination, reputational damage, theft and fraud.
A business that implements the right processes, procedures and checks in place should not fear the GDPR. Analyse the likelihood and severity of risk from your data processing and ensure the appropriate measures are taken that match the risk level.
Where there is a high risk, the organisation should carry out a data protection impact assessment to evaluate nature and severity of that risk. You should be able to demonstrate you have taken steps to reduce risks. Implementing approved relevant codes of conduct and relevant approved certifications can help meet these requirements. Similarly, you may look to work with your industry trade body if there are any specific concerns or risks within your particular sector.
IASME: If the worse comes to the worse and there is a breach within my business, what will I need to do under the GDPR?
RC: Unless you can demonstrate a breach is unlikely to risk the rights and freedoms of data subject(s), any breach must be notified to the Supervisory Authority (ICO) no later than 72 hours from when you become aware of it. If there is a danger to the rights or freedoms of individual(s) then those individuals should be notified so they can take necessary precautions. Your communication with the affected persons should describe the nature of the breach and recommendations to mitigate damage. It must be done in cooperation with the Supervisory Authority.
IASME: What if the data is processed overseas? What are my obligations there?
RC: International transfers of personal data will be dealt with similarly under the GDPR as they currently are under the DPA. Present law prohibits the transfer of personal data outside of the EEA to a country that does not have “adequate protection” for data subjects. Certain countries are approved by the European Commission as having an adequate level of protection under the GDPR and those adequacy decisions will remain in force until amended, replaced or repealed under the GDPR. The GDPR also recognises Binding Corporate Rules (BCRs) to enable cross border data transfers within a company group and sets out criteria that BCRs must cover. Cross border transfers of data can also take place on the basis of standard model clauses approved by the European Commission. The existing clauses will remain valid under the GDPR until amended, replaced or repealed.
Thanks Robert. That certainly provides all of us with some food for thought, and a clearer outline of what’s involved. We look forward to catching up with you and your colleagues for further updates as we move ever closer to May 2018 implementation.
The IASME Consortium will be bringing you further updates alongside HCR right the way through to the implementation of GDPR. To ensure you are catch all our updates, please follow us on Twitter, @IASME1, or via ‘The IASME Consortium’ on LinkedIn. To find out more about Cyber Essentials and GDPR, click here.
For more specific legal advice in relation to GDPR you can contact Robert Cobley and the Harrison Clark Rickerbys team via www.hcr.com.
If you have any comments, or areas you’d like future articles to address, please email [email protected].