The EU General Data Protection Regulation (GDPR) comes into force across the EU on 25th May 2018. The Regulation dramatically increases the obligations and responsibilities of businesses and organisations which control or process data. As these new obligations and responsibilities are paired with severe new sanctions, businesses should take the time to ensure their compliance in advance of the Regulation coming into force.
Who is Affected
The Regulation is binding on businesses and organisations that are involved in controlling or processing the personal data of individuals in the EU regardless of the location of the company or the location of the data processing. Although the situation is somewhat complicated by Brexit, the UK government has indicated that it will implement equivalent or alternative regulations that will largely follow the GDPR.
Personal data is defined so broadly as to cover any information that can be used to directly or indirectly identify a person. This can be anything from genetic or economic data to social media posts, computer IP address or cookie identifiers. The definition even includes data that is protected by a pseudonym, where identifying data is held separately, for example, in a hospital where samples are labelled with numbers rather than patient names before being sent for testing. Notable exceptions apply to national security activities and law enforcement.
The Regulation is applicable to data controllers and data processors. A data controller is any person or body which collects data and determines how that data is to be processed, for example an employer, a bank or a medical practice. Data processors are persons or bodies which process the data on behalf of the controller, for example a payroll company, accountant or "cloud" provider. A business or company may be both a data controller (in relation to its own employees' personal data) and a data processor.
Personal data held in both electronic format and in hard copy is covered by the Regulation.
Increased Administrative Responsibilities
The GDPR builds on obligations under existing data protection legislation and will increase the administrative responsibilities owed by data controllers and processors. Given the scope and size of the Regulation it is not possible to give an exhaustive list, but below are some of the most important requirements:
- Data controllers are obliged to implement "appropriate technical and organisational measures" to both ensure and demonstrate that processing is performed in accordance with the Regulation.
- Records of processing activities and to demonstrating how the data protection principles have been complied with, (for example by demonstrating consent as the basis of legal consent) will need to be kept. This is one of a significant number of new requirements to keep detailed records. Records will also need to be kept of all technical and organisational measures taken to show what has been done by controllers to safeguard the privacy of data subjects at all stages.
- Additional resources will also be required to facilitate the new and expanded rights granted to individuals such as the right to be forgotten, the right to have incorrect data rectified and the right to more extensive information about how an individual's own personal data is processed.
- Where there has been a personal data breach there is a requirement to report it to the Data Protection Commissioner ("DPC") not later than 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Ideally, data controllers and processors should have policies in place for dealing with breaches to ensure that they can take efficient and appropriate action where necessary. A lack of such a policy would in all likelihood be viewed unfavourably by the Office of the Data Protection Commissioner in the event that Office was called upon to investigate a breach or in the course of an audit of data protection compliance within the controller/processor organisation at large.
- A Privacy Impact Assessment is required where a business carries out data processing, in particular using new technologies, which is likely to result in a high risk to the data subject's rights. Examples of those covered by this requirement could include online marketing companies or insurance companies who use automated processing or profiling, or any business extensively using CCTV, such as retailers or licensed premises.
Consent and Terms and Conditions
A business or organisation must have a legal basis for controlling or processing personal data. The Regulation makes important changes in the way in which this legal basis is obtained/determined. Companies that justify data processing by virtue of an individual's consent will face more demanding requirements. Consent must be "freely given, specific, informed and unambiguous" and must be expressed "by a statement or by a clear affirmative action". This means that consent cannot be given by pre-ticked boxes, silence or inactivity, nor can it be inferred from certain actions such as visiting a website. It must also be as easy to withdraw consent as it is to give it.
When processing data (by consent or for any other legitimate reason) an individual must be provided with certain information such as:
- how long the data will be kept;
- who will be receiving the data;
- the purpose of the data processing;
- the right to withdraw consent; and
- the right to lodge a complaint with the Data Protection Commissioner.
Importantly, this must be provided in "a concise, transparent, intelligible and easily accessible form, using clear and plain language". This aims to bring an end to long incomprehensible terms and conditions full of legalese.
Businesses that process or control data with the consent of the data subject should review the way in which this consent is obtained and also review the standard and form of the information they provide to data subjects.
New Obligations for Data Processors
Under the current system, data processors' obligations are based on their contract with the data controller and the controller is the party responsible for any data breaches. For example, if a bank stores customers data with a cloud service provider and there is a data breach for which the cloud service provider is responsible, it is the bank that bears legal responsibility. Under the new Regulation controllers and processors are jointly and severally liable for data breaches.
The GDPR places increased responsibilities on data processors by imposing direct obligations such as prohibiting sub-contracting without the consent of the controller, prohibiting the processing of data other than in accordance with the instructions of the controller and requiring that processors assist the controller in ensuring compliance with the Regulation. Additionally, the new Regulation introduces mandatory terms that must be included in the contract between the data controller and data processor such as an obligation on the processor to delete or return data at the request of the controller once the service is complete.
In addition to agreeing all future contracts in accordance with the Regulation, businesses and organisations should assess existing agreements, and if necessary revise them, to ensure compliance.
Data Processing Officer
One of the more onerous and expensive requirements of the new Regulation is the requirement to appoint a Data Protection Officer ("DPO"). The appointment of a DPO is mandatory for (a) public authorities, (b) companies and organisations in the private sector that engage in large scale regular and systematic monitoring of data subjects, or (c) organisations that engage in large scale regular and processing of sensitive personal data. If a company is unsure whether it falls into any of the above categories it can consult the "Guidelines on Data Protection Officers" produced by the European Commission which provide a more detailed analysis of the requirement to appoint a DPO.
A DPO can be hired as a staff member or can be an external service provider and a single DPO can be appointed for several organisations. The Regulation requires that a DPO must have expert knowledge of data protection law. They must also have a good understanding of IT processes and cyber security. The Office of the Data Protection Commissioner ("DPC") has also published "Guidelines on appropriate qualifications for a DPO".
It is also important to note that although a DPO may be an employee they are required to operate with a certain degree of independence and autonomy in ensuring compliance with the Regulation. The Regulation specifically prevents a DPO from undertaking tasks which constitute a conflict of interest.
As a Regulation, the GDPR is directly effective and does not require transposition into Irish law and as such will be enforceable from 25th May 2018. It increases the investigatory powers of the DPC and also provides for administrative fines of up to €20,000,000 or 4% of annual global turnover, whichever is greater. Fines of up to €10,000,000 or 2% of global turnover can be imposed for administrative oversights such as failing to appoint a DPO or failing to notify the DPC of a personal data breach. Fines will be issued not by a court but by the DPC directly.
The Regulation also introduces the idea of a 'one stop shop' which means that multinational companies engaged in data processing and controlling will be regulated by the supervisory authority (in Ireland the DPC) where the company has its main establishment, thus removing the need to engage with multiple national supervisory authorities.
The GDPR also has the effect of making it easier to bring cases for compensation against data controllers and processors in national courts as it allows compensation to be awarded in cases where there has been no material damage suffered, for example compensation can be awarded for distress or damage to reputation.
It is anticipated that these changes will lead to an increase in litigation in this area. Firstly, by increasing the number of claims for compensation against data controllers and processors and secondly through the DPC exercising her new and expanded powers potentially leading to an increase in the number of appeals and judicial reviews.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.