Many of the concepts and principles within the GDPR and current DPA are largely the same as those set out in the old legislation. However, there are some new concepts, and enhancements to existing ones which you can find out more about by clicking on any of the links below.
Privacy by Design
Whilst privacy by design as a concept has existed for many years, it is now best practice and a legal requirement embodied in the GDPR in certain circumstances. Privacy by design requires the inclusion of data protection from the onset of the designing of systems, rather than as an afterthought. This is called out in the GDPR with the requirement that “The controller shall...implement appropriate technical and organisational measures...in an effective way...in order to meet the requirements of this Regulation and protect the rights of data subjects.”
This shows that data protection must now be positioned as a high priority by businesses within their business plan. It must form a fundamental, integral part of the design of a business from the outset and it can no longer be seen as an optional add-on.close
Increased Territorial Scope
One of the biggest changes brought by the GDPR is the extended jurisdiction of the Regulation. The terms of the GDPR apply to processing of personal data “in the context of the activities of an establishment” (Article 3(1)) of any organization within the EU. For these purposes “establishment” implies the “effective and real exercise of activity through stable arrangements” and “the legal form of such arrangements…is not the determining factor”. The result of this wording is that a wide range of entities are now caught by the Regulation, from potentially a single individual through to a whole corporate group.
The GDPR applies to the processing of personal data by both controllers and processors in the EU, regardless of whether processing takes place in the EU or not. Additionally, the GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU where the activities relate to offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Many overseas organisations who fall into this category must therefore take the necessary steps to ensure GDPR compliance, including the appointment of a representative in the EU. The potential sanctions, including large fines for non-compliance, means that it is important all organsiations who may be caught by the GDPR regularly carry out compliance reviews. Whilst this represents an increased administrative and financial burden, it will in the long run be a very cost effective exercise, particularly as more organisations focus on data protection during due diligence and “know your client/supplier” exercises.close
Expanded Definition for Personal Data
So - what constitutes personal data for the purposes of the GDPR?
Personal data is defined as “any information relating to an identified or identifiable natural person”, where “identifiable” is when anyone can identify a natural person using “all means reasonably likely to be used”. This means that data may be personal data even if the organisation holding the data cannot itself identify a natural person.
For this purpose, identifiers can be a range of things including factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, location data or online identifiers such as IP addresses or cookies. The GDPR applies to both automated personal data and to manual filling systems where personal data are accessible according to specific criteria (e.g. chronologically ordered sets of manual records containing personal data). There is obviously therefore a fairly low bar for identification, resulting in a wide range of data being caught by the GDPR.close
The GDPR introduced a new concept of “Pseudonymisation” which is defined as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person”. Whilst pseudonymisation does not render data anonymous, it does reduce the risks associated with data processing while also maintaining the data’s utility. For this reason, whilst pseudonymous data is not exempt from the GDPR, organisations which implement pseudonymisation techniques enjoy various benefits under the GDPR.
Under the old legislation, the principles of data protection did not apply to data rendered anonymous in such a way that the data subject was no longer identifiable. The ICO defined anonymisation as “the process of turning data into a form which does not identify individuals and where identification is not likely to take place’ resulting in data that is therefore not personal data. Recital 26 of the GDPR similarly states that “the principles of data protection should therefore not apply to anonymous information, that is [...] data rendered anonymous in such a way that the data subject is not or no longer identifiable”. Crucially the GDPR definition omits the word “likely” implying a higher threshold than was previously set by the ICO. Whilst the ICO deemed that whilst 100% anonymisation was ideal, it was not required by the old legislation. As long as the risk of re-identification was remote, this was sufficient. The Article 29 Working Party, now the European Data Protection Board (“EDPB”) which is an independent European comprised of representatives from all of the national supervisory authorities, took a stricter view and argued that anonymisation must be irreversible. So it may be that a stricter line will be taken under GDPR, although it remains unclear for the moment as the ICO are still to update their existing guidance on anonymisation to reflect GDPR.
Whilst there are limitations of anonymisation and pseudonymisation, organisations should be giving serious thought to their possible uses as they will help limit an organisation’s risk profile and exposure in the event of a personal data breach. The GDPR repeatedly refers to the use of pseudonymisation and specifically refers to pseudonymisation as one of the security measures that organisations should implement by default or “as soon as possible”.close
Both Controllers and Processors Caught
Under the previous data protection legal framework, data controllers were the ones that carried the burden of legal compliance. The GDPR brings about a significant change as now suppliers, or the data “processors”, are also caught. This means that not only those who are responsible for determining the purposes and means of the processing of personal data, but also the organisations who are engaged by a controller to process personal data on their behalf must abide by the legislation.
Therefore, suppliers processing personal data, including cloud service providers, will have to comply, which may require potentially adapting and amending their contracts, services and processes.
There are a number of articles within GDPR setting out processor obligations. These include maintaining adequate records of processing activities, cooperating with supervising authorities, implementing appropriate security standards via technical and organisational methods, carrying out routine data protection impact assessments, appointing and supporting a data protection officer under certain circumstances and complying with international data transfer rules.
Infringement or non-compliance can result in sanctions being imposed directly on processors and controllers by authorities as well as the potential of facing private claims by individuals looking for compensation following an infringement of their rights.
This increase in responsibilities and risk for processors will inevitably impose a greater administrative burden on them and means that action must be taken to ensure compliance. Continued review of contractual arrangements is a must for both controllers and processors, privacy impact assessments will be required in many cases.
The GDPR brings to the table a new data protection principle - that of accountability. It requires the controller to take responsibility for ensuring that all privacy principles are adhered to and demonstrate their compliance.
The data protection principles in the GDPR set out that personal data must be:
- Processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
- Adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed (the "data minimization principle");
- Accurate and where necessary kept up to date (the "accuracy principle");
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
- Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle")
The accountability principle aims to guarantee compliance with the Data Protection Principles by requiring organisations to be able to demonstrate their compliance, necessitating internal clarity and structured data protection procedures within organisations as well as demonstrable responsibility to external parties including data protection authorities. Controllers must also be prepared to put action plans in place should remedial action be required. A far more structured and responsive system of governance is required compared to that needed under the old legislation. The requisite transparency and accountability now forces controllers and processors to carry out extensive data audits across their organisations, record findings, identify gaps in current systems and implement remedial action, create and document procedures to ensure continued compliance with GDPR, keep all information up-to-date and keep relevant staff suitably trained in GDPR requirements, which in effect required a culture change within many organizations. Data protection officers and supervising authorities potentially need to be consulted or otherwise involved in any high risk processing. Data protection must now be a priority in all business planning where personal data may be involved, from the outset.
In order to meet their accountability obligations controllers must be aware of a number of specific provisions within the GDPR including the following:
Protection by Design
Note: you can click the boxes for more information.
Lawful Processing - stricter rules for consent and legitimate interests
The “lawfulness, fairness and transparency principle” requires processing to fall within one or more of the permitted legal justifications for processing. Whilst this has always been the case, the GDPR has raised the bar by changing some parameters and means that it will now be more difficult for organizations to fall within the remit of the legal justifications for lawful processing. As failure to comply with this principle can result in the highest level of administrative fines being imposed, organisations should be very careful.
Key changes include (i) different, stricter requirements relating to how consent is to be obtained from data subjects (ii) narrowing the legal justification allowing data controllers to process in their legitimate interests and (iii) raising the bar to justify processing of special categories of personal data.
The conditions for consent have been amended and strengthened and companies will no longer be able to use illegible terms and conditions with consent wording hidden in the midst of a plethora of legalese. The request for consent must now be given in an intelligible and easily accessible form with the purpose for data processing given. It must be clear and unbundled, so easily distinguishable from other matters and given using clear and plain language. It must be prominent and must only use opt-ins – pre-ticked boxes, silence or inactivity will not be sufficient. Importantly, it must be as easy to withdraw consent as to give it so the means to withdraw consent must also be provided. This means that consent should only be used with the individual has genuine choice and control over how his or her personal data is to be used. Additionally, when consent is relied upon as the legal justification, data subjects are given extra rights, including the right to data portability and the right to be forgotten. Taking the action required following the exercise of these rights can potentially be rather onerous for organisations, making consent a less attractive choice for controllers and processors in many situations.
(ii) Legitimate interests
The GDPR has narrowed the circumstances in which processing will be considered to be necessary for the purposes of the legitimate interests of the controller or a third party. Whilst this will not be a major change in some member states, it is a significant change to the approach taken until now in the UK. Public authorities in particular, must note that they can no longer rely upon this justification.
Where it is relied upon, controllers will need to specify what the legitimate interests are in privacy notices and must be sure that their legitimate interests are not outweighed by the interests or fundamental rights and freedoms of the data subjects, especially where children’s data is involved.
Alternative legal justifications
As failure to comply with this principle can result in the highest level of administrative fines being imposed, organisations should be very careful. These changes, together with the risk of massive fines for failure to comply with them, mean that many controllers seek to rely on an alternative justification for processing, such as the processing being necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject in order to enter into a contract. Whilst this avoids some of the complications attached to the consent and legitimate interest justifications, it does have other burdens attached, again in the form of rights given to data subjects - the right to data portability and the right to be forgotten.
Other alternatives includes processing being necessary: for compliance with a legal obligation; to protect the vital interests of a data subject (or another person where the data subject is incapable of giving consent); or for the performance of a task carried out in the public interest in the exercise of official authority vested in the controller.
(iii) Special Categories of Personal Data
In relation to special categories of personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation), a higher bar is set before processing is allowed and such data can only be processed in specific circumstances set out in the GDPR. However, this is one of the areas where Member States are allowed to introduce domestic laws setting further conditions with regard to the processing of genetic, biometric and health data so we may see some differences appearing across the Member States.
Due to the restrictive approach now taken under the GDPR, organisations must ensure that extensive data mapping is carried out, and regularly reviewed, across the organization to check that all personal data which is processed has a legal justification.
Data Subject Rights
Transparency is key to EU data protection law, obliging controllers to communicate transparently with data subjects regarding the processing of their personal data. In order to ensure that personal data is processed fairly and lawfully, controllers must provide certain information to data subjects, regarding the collection and further processing of their personal data and informing them of their rights. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Any information provided to children should be in such a clear and plain language that the child can easily understand.
Under the GDPR, data subjects have a number of new and expanded rights, including the following:
Note: you can click the boxes for more information.
Data Protection Officers
Under the GDPR a number of organisations are required to appoint a Data Protection Officer (DPO). The organisations for whom this is mandatory are:
- public authorities
- controllers or processors whose core activities consist of processing operations which by virtue of their nature, scope or purposes require regular and systematic monitoring of data subjects on a large scale
- controllers or processors whose core activities consist of processing sensitive personal data on a large scale.
There are a number of conditions imposed around the DPO’s appointment and role. Importantly the DPO:
- Must be involved properly and in a timely manner in all issues which relate to the protection of personal data.
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- May be either a staff member or an external service provider.
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge.
- Must report directly to the highest level of management, must not be told what to do in the exercise of their tasks and must not be dismissed or penalized for performing their task
- Must not carry out any other tasks that could results in a conflict of interest.
- Contact details for the DPO must be provided to the relevant supervising authority.
Once appointed, the GDPR defines the tasks of the DPO as including the following:
- To inform and advise controllers and processors and employees with regard to compliance with GDPR and other Union and Member State data protection laws.
- To monitor compliance with data protection law as well as the internal policies of the organisation including assigning responsibilities, awareness raising and training staff.
- To provide advice and monitor data protection impact assessments
- To cooperate and act as a point of contact with the supervisory authority
Unfortunately, it is still unclear as to exactly who is required to appoint a DPO beyond the organisations who obviously fall within one of the categories set out in the GDPR, and in particular what will constitute “large scale” for this purpose. The EDPB in its guidance on this issue suggest factors to be taken into consideration when determining whether processing is carried out on a ‘large scale’, such as (i) the number of data subjects concerned (ii) the volume of data and/or range of different data items being processed (iii) the duration or permanence of the data processing activity and (iv) the geographical extent of the processing activity. They go on to give examples of situations that would constitute large-scale processing which include (i) the processing of patient data in the regular course of business, (ii) the processing of travel data of individuals using a city’s public transport system and (iii) processing of personal data for behavioural advertising by a search engine. Examples of activities that would not constitute large-scale processing include (i) processing of patient data by an individual physician and (ii) processing of personal data relating to criminal convictions by an individual lawyer. This perhaps seems obvious – a one-man operation not requiring a DPO and a business processing data on a national scale requiring one. For those who fall somewhere in the middle, it will be a more difficult decision to make but one point to note is that there is no exemption for SMEs in this regard – if there processing activities fall within the parameters set by the GDPR, then they will require to appoint a DPO.close
Data Breach Notification
GDPR requires mandatory breach notification for certain types of breaches (a change from the old legislation). Organisations tended to try to steer clear of any form of such notification where possible, but this is no longer an option. Controllers must, within 72 hours of becoming aware of a breach, notify the supervising authority where a data breach is likely to result in a risk for the rights and freedoms of individuals. If it is unlikely to result in a risk, controllers do not have to report it, but if they decide not to report the breach, they must be able to justify this decision and should consequently document it.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, controllers must also inform the affected individuals without undue delay.
This obligation does not only affect controllers. Processors also have an obligation to notify the controller “without undue delay” after first becoming aware of a data breach.
This breach notification obligation puts an additional administrative burden upon controllers and requires implementation of appropriate technical and organisational measures, together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing. This will obviously additionally require that the necessary technology is put in place, as well as training staff on breach response procedures to ensure that this obligation is properly and timeously complied with and that breaches are properly documented. Failure to comply will potentially result in administrative fines of up to €10M or 2% of annual worldwide turnover so this is certainly a compliance measure not to be missed.close
Cross Border Transfers of Data
In general, the rules for transferring personal data cross-border under the GDPR are not significantly different to those under the old legislation. However, breaches now attract the highest category of fines (up to €20M or in the case of undertakings up to 4% of annual worldwide turnover).
Transfers of personal data to third countries outside the EU are allowed only where both controllers and processors comply with the conditions laid down in the GDPR. Under the GDPR, the transfer of personal data to recipients outside the EU is generally prohibited unless:
- the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection;
- the data exporter puts in place appropriate safeguards; or
- a derogation or exemption applies.
Adequate Protection. Where personal data is being transferred to a third country (or a territory or one or more specified sectors within that third country, or the international organization in question) which the Commission has decided ensures adequate level of protection, personal data can be transferred without any specific authorisation. One important point to note is that the US is not on the Commission list of countries providing adequate protection, although they do have the EU/US Privacy Shield in place, which operates in the same way, for US organisations that have signed up to it.
Appropriate Safeguards. Cross Border transfers are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. Such appropriate safeguards are set out in Article 46 and include a legally binding and enforceable instrument between public authorities or bodies, binding corporate rules for transfers within a corporate group (as set out in Article 47 of the GDPR), standard data protection classes adopted by the Commission or a supervisory authority, an approved code of conduct or an approved certification mechanism (the latter two applicable only when they are alongside binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.)
Derogations. The GDPR also contains a list of derogations which, if applicable, allow the transfer of data in the absence of an adequacy decision pursuant to Article 45(3) or of appropriate safeguards pursuant to Article 46. This list of derogations allows transfers where:
- The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers
- The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
- The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject and another natural or legal person
- The transfer is necessary for important reasons of public interest
- The transfer is necessary for the establishment, exercise or defense of legal claims
- The transfer is necessary in order to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent
- The transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions.
An additional derogation does exist in limited circumstances - to transfer where no other mechanic is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject. Notification to the supervisory authority is required if relying on this derogation. Even if the scope of this transfer mechanism is narrow, it provides for another option to enable Cross-Border Data Transfers.close
Enforcement & Sanctions
One change brought by the GDPR which has certainly caught the attention of many is the increased sanctions for non-compliance, including revenue based fines of up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine which can be imposed for the most serious infringements of the regulations (eg. breach of data subject rights, breach of basic principles of processing including conditions of consent, international transfer restrictions). Furthermore, multinational businesses need to be aware that these fines are imposed with reference to the revenues of an undertaking rather than of the controller or processor in question. In this context “undertaking” is to be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, namely that the concept of an undertaking is understood to mean an economic unit, which may be formed by the parent company and all involved subsidiaries. Unfortunately for multinational businesses, this means that group revenues may be taken into account when calculating fines if the group as a whole is deemed to be part of the same undertaking, even where some of those group companies are completely unaware of the processing of data to which the fine relates.
The GDPR does however bring a tiered approach to fines and lesser fines will be imposed for some breaches e.g. not conducting a data protection impact assessment and certain other obligations of controllers and processors such as security and data breach notification obligations. Such breaches can result in a fine of 2% of annual global turnover or €10 Million (whichever is greater).
Significantly, these penalties now apply to both controllers and processors.
Authorities need to ensure that fines issued adequately respond to the nature, gravity and consequences of the breach and accordingly the amount fined should be effective, proportionate and dissuasive. With regard to the type of corrective measure chosen by the authority, they must make an assessment in each individual case, so the sanctions imposed will depend on the facts of the particular case. However, they should also adhere to the principle that equivalent sanctions are to be issued across member states so far as possible to create consistency so it will be important to be aware of case law across the EU.
Another factor that controllers and processors must consider is the fact that the GDPR makes it much easier for individuals to bring private claims against controllers and processors for breaches. Compensation can be claimed for material or non-material damage suffered meaning that compensation can now be claimed for distress or hurt feelings with no need to prove financial loss. Additionally data subjects can mandate a consumer protection body to exercise rights and bring claims on their behalf, lodge a complaint with a supervisory body and enjoy the right to an effective legal remedy against a controller or processor.
As well as making sure they are addressing their GDPR obligations to ensure compliance and avoiding the risk of these fines being issued, controllers and processors should continually review their insurance policies, as well as their supplier contracts to ensure appropriate indemnities are in place.
Whilst the potentially huge fines have become a focus of GDPR discussions, it must be remembered that these are not the only sanctions that can be imposed by the authorities and a range of other corrective powers are available to them. These include the authority to issue public warnings, reprimands, ordering controllers or processors to comply with data subjects requests, as well as authorities being given broad investigative powers with the power to undertake on-site investigative audits.close
Special Category Data and Children
Those who previously processed sensitive data under the 1998 Act will be aware that it requires more protection. Similarly, the GDPR requires Special Category Data to be processed with more care. As special category data could create more significant risks to an individual’s fundamental rights and freedoms, in order to process special category data, you must identify and document both a lawful basis under Article 6 and also a separate condition for processing special category data under Article 9. GDPR expands the previous sensitive data definition by adding genetic and biometric data. It excludes personal data linked to criminal convictions and offences which are now dealt with separately (although the rules effectively remain the same for such data as a result of the Data Protection Act 2018).
Data processing relating to children also requires extra protection. The GDPR states that children merit specific protection with regard to their personal data as they may be less aware of the risks involved in its processing. Those processing data relating to children must therefore design all systems with the protection of the child’s data in mind. All privacy notices for children must be written in plain, clear age-appropriate language to ensure that they understand what their data will be used for, the risks involved and what rights they have. This could include the use of diagrams, cartoons, graphics and videos, icons or symbols. In particular they must be aware of their right of erasure which is especially relevant when they gave consent as a child.
The lawful basis for processing should be chosen with the protection of the child as the main focus and consideration must always be given to whether the child will be able to understand what they are agreeing to and adequate safeguards must be put in place where appropriate. If you are using consent when you are offering an online service, remember only those aged 13 or over can consent – for anyone younger you will require the consent of their parent or guardian. Age verification mechanisms will need to be put in place. It will usually not be acceptable to make decisions based solely on automated processing using the personal data of children which will have a legal or similarly significant effect, with a few limited exceptions.close