INTRODUCTION TO THE GDPR
The General Data Protection Regulation (‘GDPR’) that comes into force on 25th May 2018 represents a once in a generation change to the rules relating to data protection. The current Data Protection Act 1998 (‘DPA’) is based on an EU Directive (‘the Directive’) dating from 1995 and unsurprisingly has struggled to keep pace with technological developments over the last twenty years.
The content of the GDPR is summarised in Appendix One and from this summary it is clear that it retains much of the content of the DPA but also introduces some important changes that need to be taken into consideration by organisations. This book seeks to outline the key changes together with a series of practical steps that need to be taken to ensure compliance with the new rules. Each chapter is structured so as to describe how the GDPR differs from the DPA and this is then followed by a series of practical suggestions as to how to achieve compliance in a common sense, risk focussed manner.
When considering the changes set out in this book I suggest that you bear the following five phrases in mind:
Evolution not revolution
The Information Commissioner’s Office (‘ICO’) has been at pains to stress that the GDPR does not represent wholesale change in the rules relating to data protection, rather what is being implemented is intended to build on the existing regime and take into account the development of new technologies. As will be seen throughout this book there is an enormous amount of continuity between the content of the DPA and the content of the GDPR.
Not typically a phrase associated with this legislation, it is essential to use common sense when trying to apply the high level principles of both the DPA and the GDPR to specific scenarios. Guidance is available from the ICO but even this is not always that helpful depending on the precise circumstances. From my own experience of dealing with this topic for the last ten years I can safely say that there have been times when only common sense has been able to shine a light in the sometimes dark tunnel of data protection compliance.
Under the DPA there were always certain activities involving certain types of personal data that carried a higher risk of enforcement action and there is no suggestion that this is likely to fundamentally change under GDPR. Therefore, although important to ensure that all aspects of GDPR are complied with, organisations should consider prioritising the steps they take by reference to the actual levels of risk they face.
No organisation is capable of ensuring 100% compliance with every aspect of the DPA or the GDPR and therefore over the years the phrase ‘reasonable steps’ has become increasingly important. It is used, amongst other things, to describe the steps to be taken to ensure accuracy of information and also to rectify a data breach and remains a useful first line of defence for organisations found to be in breach of their obligations.
(v) Appropriate measures
This phrase contained in the DPA is also found throughout the GDPR and essentially requires organisations to take into account a number of the matters referred to above and decide on what measures will be implemented. This assessment of appropriateness is critically important for organisations seeking to comply with the GDPR so as to ensure on the one hand that they do not underprepare but on the other hand that they do not unnecessarily gold plate their procedures.
By remembering these simple phrases organisations will be well placed to find a way through the minefield that awaits in terms of complying with GDPR.
1.1 Key Definitions
The key definitions of the DPA remain in the GDPR with minimal changes. Appendix Two sets out a precise comparison but I set out below a summary of the key definitions in the GDPR together with some further explanation.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
This definition has been expanded to include references to additional types of personal data but essentially remains the same as under the DPA. It is essential to understand at the outset that the GDPR, in the same way as the DPA, only deals with personal data and does not have anything to say about other types of data. If you are ever accused of breaching the GDPR the first response is always to ask whether personal data are involved.
‘special categories’ processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade‑union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
These represent a specific type of personal data. Organisations dealing with significant amounts of information forming part of the ‘special categories’ are at greater risk of enforcement action and therefore careful consideration will need to be given to the level of appropriate measures referred to above, particularly in the field of security. The types of personal data included in this category under the GDPR are essentially the same as under the DPA save that criminal records are referred to separately under the GDPR.
‘data subject’ means an identifiable natural person
In practice this means any individual employee or service user and the GDPR provides them with a series of rights which, although largely the same as those available under the DPA, are slightly more extensive.
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’
This will normally be an organisation rather than an individual and will include any organisation with employees as well as organisations that deal directly with some sort of individual service user such as customers, clients or students. A controller determines what happens to personal data and will then implement those decisions itself or will outsource the implementation to a third party known as a processor. If the controller does outsource work to a processor then usually the controller will ultimately be responsible if the processor does something to breach the rules. Readers should note that for ease of reference the word ‘controller’ is used throughout the book even when the discussion refers to the DPA.
‘processor’ means ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’
This will also normally be an organisation rather than an individual and will act solely to implement the instructions of a controller. Although the controller will usually be responsible for the controller’s actions the GDPR places more emphasis on the processor being personally responsible in certain circumstances.
1.2 Application of the GDPR
The DPA applies to:
controllers established in the United Kingdom that process personal data in the context of that establishment.1
controllers that are established neither in the United Kingdom nor in any other EEA State but use equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.2
The GDPR applies to:
processing of personal data by both controllers and processors that are established within the EU.3
processing of personal data relating to data subjects resident in the EU by a controller not established in the EU where the processing activities are:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.4
In this case a controller established outside of the EEA is required to appoint a representative within the EEA.5 Typically this representative shall be established in one of the Member States where data subjects, whose personal data is being processed, reside.6
In practice, organisations that were controllers under the DPA will continue to be controllers under the GDPR and therefore will need to comply with the changes outlined in the following chapters. Clearly, some organisations based outside of the EEA may be caught by the expanded scope of the GDPR and this would need to be dealt with on a case by case basis.
However, the biggest change is the extension of the GDPR to cover the activities of processors and this means that from May 2018 processors will have to comply with certain specific provisions and are more likely to be the subject of enforcement action than was the case under the DPA.
1.3 Relationship Between Controller and Processor
The starting point is that the GDPR requires the controller to:
implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR 7 and
implement appropriate data protection policies
Furthermore, the controller remains responsible for the actions of the processor and is required to ensure that it only uses the services of a reputable processor having obtained sufficient guarantees regarding security and also having implemented a data processing agreement.8 If the controller has done both of these things then it will be in a better position to explain why enforcement action should instead be directed against the processor.
The data processing agreement is to cover the following matters:
the subject-matter and duration of the processing,
the nature and purpose of the processing,
the type of personal data and categories of data subjects
the obligations and rights of the controller
In terms of obligations of the processor then the data processing agreement must state that the processor:9
processes the personal data only on documented instructions from the controller
ensures that those processing personal data are bound by a duty of confidentiality
takes all security measures required by Article 32;
respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
assists the controller to fulfil the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;
assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36
at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing
makes available to the controller all information necessary to demonstrate compliance with the obligations
If the processor infringes the terms of such an agreement by acting beyond its remit and determining what is to be done with personal data then it will be treated as a joint controller.10
1.4 Specific Obligations of Processors
In addition to the possibility of being treated as a joint controller the GDPR places greater obligations on processors than was previously the case. The key points to note are as follows:
a processor cannot engage another processor without the consent of the controller11
processors are required to maintain certain information about their processing activities12
the provisions relating to security measures are stated to apply to processors as well as to controllers.13
the processor must notify the controller without undue delay where it becomes aware of a personal data breach.14
in certain cases a processor must appoint a data protection officer15
in certain limited circumstances a processor can be liable to pay compensation to a data subject16
a processor will be liable to a fine in certain circumstances17
Although the key definitions remain largely the same it is important to note that the application of the GDPR is wider than that of the DPA and this is particularly significant for organisations that act as processors as their obligations have been increased significantly.
1.6 Practical Steps
In the light of these issues, the following practical steps are recommended:
Review whether you have any group companies outside of the EEA contacting data subjects directly
If so, determine what entity will be appointed as their representative and in what country
Review what data processing agreements you have in place and whether you need to enter into any new ones
Review what guarantees of security you have in place
Consider whether you need to amend an agreement to comply with the requirements of the GDPR
Review what data processing agreements you have in place
Consider whether you are acting in accordance with the controller’s instructions
Familiarise yourself with your increased obligations under the GDPR
2 sS5(1)(b) DPA