With the implementation date of GDPR just seven months away, firms will need to start getting to grips with the requirements soon to be ushered in under the EU’s flagship regulation for data protection. As things stand, GDPR will kick in before the UK formally leaves the European Union, meaning that its implications will still apply to UK firms. In any case, the UK’s Data Protection Bill, published by the UK government in September 2017, will also introduce new data protection obligations alongside GDPR. Both pieces of regulation mean that affected firms will need to strike a balance between focusing on implementing the new requirements whilst continuing to invest in their businesses. This article sets out all of the key points that firms will need to consider before GDPR’s implementation date of 25 May 2018.
Controllers and processors
A significant change that GDPR will introduce is a broadening and deepening of the duties of both data controllers and data processors. GDPR will perpetuate the definitions of both data controllers and processors that exist under current legislation. At present, a data controller is the person or authority responsible for determining the purpose and means of processing the personal data held by a firm, whereas a data processor is the individual or authority which processes the data on behalf of the controller.
Under the UK Data Protection Act (DPA), the controller is typically responsible for determining the content and purpose of data that is collated by a firm, whilst agreeing some shared responsibility with the processor. Under GDPR, however, the processor is brought within the regulatory scope in that they will have compliance obligations and could, therefore, be liable to fines. Contracts between processors and controllers will also need to include a set of ‘mandatory’ terms and conditions that set out the instructions and rules in relation to concepts such as pseudonymisation and anonymisation. Finally, processors will be obliged to delete data at the request of the controller and must provide all of the necessary information to prove obligations under GDPR are being adhered to.
The right to erasure
Another key change that will be brought about by GDPR will be the introduction of ‘the right to erasure’. This is essentially the right of an individual to request that any data being held by a firm be deleted from its database, or for any further dissemination of the individual’s data to cease. There are exceptions where an erasure can be denied by a firm, for example, when a firm is legally obliged to continue to hold the data (which will be typical within the financial services industry) or if it is in the public’s interest for the data to be archived. The scope of the UK’s Data Protection Bill goes further than GDPR in that it allows firms to refuse an erasure if the data is relevant to the interests of public safety, immigration or public health.
Firms will need to put a framework in place to review requests for erasure “without undue delay” and will need to determine who is responsible for dealing with the requests, how it will be reviewed, the content and purpose of the data being held and who has access to it. Under MiFID II, which will be brought into force on 3 January 2018, firms will need to retain data for years after an account is closed. Whilst GDP does not contradict this obligation, it states that data should only be stored for as long as it is needed. Recognising such nuances will be important for firms in order to comply with GDPR in tandem with other pieces of regulation such as MiFID II.
Subject Access Requests (SARs)
GDPR will also bring about significant changes to the Subject Access Request (SAR) regime that currently exists in the UK under the DPA. Under GDPR, firms will no longer be able to charge for complying to an individual’s request unless it is “manifestly unfounded or excessive” in nature. Alternatively, a data controller may refuse to respond to the request. In cases of refusal, controllers will need to provide evidence of the excessive nature of the request. Moreover, it must be possible for data subjects to make requests electronically (e.g., by email). If a request is made electronically, firms are obliged to respond in the same manner.
A firm’s response to each subject access request should inform the individual of what information is held about them, as well as how that information is being processed. Data controllers may also need to provide additional information, such as the retention period of the relevant data, as well as confirmation that the individual has the right to have inaccurate data corrected. Data controllers must respond to a request within one month, though there will be the possibility to extend this period for particularly complex requests.
Data controllers can withhold personal data if disclosing it would “adversely affect the rights and freedoms of others”. This is reflective of the current position under the DPA, however, Member States may extend this to examples such as intellectual property rights, trade secrets and legal privilege.
Data Protection Impact Assessments (DPIAs)
A key GDPR consideration for firms will be the introduction of the Data Protection Impact Assessment (DPIA). Firms will need to carry out a DPIA when either a new data processing method is developed, or when an existing process is changed, and either “is likely to result in high risk to the rights and freedoms of natural persons”. Each DPIA will need to show how the processing method will impact the data subject. Typical examples of instances that will require a DPIA are when a firm carries out large-scale processing of special categories of data, or of personal data relating to criminal offences. The FCA are due to publish a list of all the processing operations which will be subject to an impact assessment under GDPR.
Each impact assessment will need to contain a description of the processing method and its purpose, as well as a review of its necessity, proportionality and the risks that it may pose to the rights and freedoms of a data subject. Controllers will also be obliged to seek the views of data subjects on the intended processing operations.
Under GDPR, a data breach, should it occur, will need to be reported within 72 hours of the firm becoming aware of the breach. As such, firms will need to implement a simple and comprehensive process to detect and report data breaches. Breaches can seriously impact a firm’s reputation, regardless of whether or not a fine is paid and, although no system will ever be watertight regarding the prevention of data breaches, reputational damage will be limited if a firm avoids fines by ensuring breaches are reported within the required time limit.
Any fines that are incurred by firms under GDPR will be proportionate based on “the nature, gravity and duration of the infringement”, as well as any intentional character that can be identified. Any action taken by the firm to mitigate the damage caused to data subjects will also be taken into account by the national authority, as will the way in which the infringement was reported (i.e., if it was a voluntary disclosure made by the firm). For most obligations under GDPR, fines will be capped at the higher of 20 million euros, or 4% of a firm’s total worldwide turnover for the preceding financial year.
Transfers of data outside of the EU
GDPR will maintain the existing rules in the UK in relation to transferring data outside of the EU. Current requirements mean that instances of data transfers should continue to be based on adequacy, necessity and safety.
The changes to data protection procedures that will be brought about by GDPR will be significant, so it is imperative that firms take all of the necessary steps to ensure that they are ready.
To become GDPR compliant, firms should carry out an internal audit of all of the relevant data that they currently hold. The audit should determine what data is held by the firm and why, how it is processed, used and monitored, the various retention periods and the procedures that are in place with regard to international transfers. The audit will enable a firm to identify and review its data protection policies, thereby highlighting what additional changes need to be implemented to become GDPR-ready.
The number of GDPR related documents is increasing and we are currently tracking and uploading them into our RegDelta libraries, mostly from EU and UK issuing bodies. We regularly review and analyse these documents.
If you wish to find out more about JWG and our services, please contact firstname.lastname@example.org. You can also keep up to date with GDPR related news on our LinkedIn Group, or follow us on Twitter and subscribe to our newsletter alerts.