Briefing for the Board
by Mandy Webster (comments: 0)
GDPR introduces a culture shift in data protection compliance
In April 2016 the European Parliament adopted the General Data Protection Regulation or GDPR, to standardise and regulate data protection compliance across the EU. It provides benefits for multi-national organisations and those that trade in more than one EU Member State because there are provisions to designate one lead regulator.
What about Brexit?
In case there was any doubt about GDPR applying, if we want business links with the EU we will need to match their data protection laws, in September 2017 the government announced a new Data Protection Bill which will ensure that GDPR survives Brexit. It also introduces some data protection provisions specific to the UK as allowed under GDPR.
1 GDPR presents a new, risk management approach to data protection compliance
2 The data subject is at the heart of the regulation benefitting from new and enhanced rights, and entitled to additional information about processing activity. There is a higher standard for consent and special rules for processing children's data.
3 The security net tightens with breach reporting and outsourcing controls and greater penalties. Data protection regulation comes of age with fines up to twenty million euros or four per cent of annual global turnover and increased powers such as audit rights for the regulator.
Part one - Managing data protection risk
New record keeping requirements for organisations replaces notification/registration
The ICO says that if you do not know what personal data you process, then you cannot be sure of compliance. So, identify what personal datasets the organisation processes, for example marketing dataset, hr and payroll dataset, customer accounts dataset, health and safety dataset. Identify a business owner for each and gather details of why the processing takes place, what data is involved and who the subjects are together with the compliance attributes such as how long the dataset is held, the conditions for fair processing that is being met, whether the processing is outsourced or the data is sent outside of the EEA.
This also starts to meet the requirement for enhanced recordkeeping under Article 30 of GDPR.
Note that the Data Protection Bill 2017 includes provision for continuing registration for data protection in the UK to fund the ICO.
New Principle of Accountability means organisations must demonstrate compliance with GDPR
Apply risk management techniques to the datasets identified for accountability and record-keeping purposes. Document the risk assessments to meet the new GDPR Principle of Accountability. Manage the risk and document any activity to avoid or mitigate risk to meet the Accountability criteria.
Some organisations have to designate a Data Protection Officer with prescribed duties
Accountability reaches its ultimate expression in the new requirement to designate a DPO in certain circumstances. This individual is responsible for communicating compliance issues to the board or senior management and to the ICO when issues get out of hand.
Mandatory DPIAs for higher risk processing and Privacy by Design principles
To pick up risks in new projects, developments and initiatives, use Data Protection Impact Assessments to identify inherent risk in the project. DPIAs are mandatory under GDPR. Failure to demonstrate that DPIAs have been done before new processing activity is undertaken will increase the level of any fines levied in respect of breaches of GDPR.
That is the outline of a risk management framework.
Part two - Putting your data subject at the heart of compliance
Changes to existing subject rights, shorter period to respond to subject access requests and responses required by electronic means
We are familiar with subject access rights, they remain under GDPR but in an amended form, it will no longer be possible to charge even a small fee to respond to a request, we will only have thirty days in which to respond to requests, not the forty days as under the UK’s Data Protection Act 1998 and there are additional information requirements too. Critically if a subject access request is made by electronic means, email for example, then the response must be made electronically rather than on paper.
New right of data portability
There is a new right to data portability requiring controllers of data to be prepared to give data subjects a version of their personal data in a format compatible with other platforms so that their personal data can be switched from one service provider to another easily.
New right to be forgotten
Another new right is the right to be forgotten. Unless there is a compelling reason to retain the personal data it must be deleted at the request of the data subject. Even when there is a compelling reason to retain the data, it might be necessary to restrict its use until such time as it may be deleted safely.
More information to be included in Privacy Notices
To help data subjects manage their own personal data there are new information rights. The Privacy Notice is extended to cover an explanation of subject rights, details of how long the organisation intends to retain the data, information about the grounds for fair processing on which the organisation relies when processing the data and details of any transfers of the data outside of the EEA with a description of the relevant safeguards for that transfer.
New standard for “consent”
Consent of the data subject has probably been too central to many processing operations in the past without acknowledging that the subject is often not in the best position to make that decision, ill- informed about the risk, possibly under a degree of duress from the data controller or tricked into agreement when opt out boxes are used or prechecked opt in boxes in a way that is not designed to facilitate withdrawal of consent. GDPR addresses these issues by clarifying what is meant by consent, that it has to be informed and specific, unambiguous and a positive indication. Silence cannot be construed as consent.
New rules when processing data relating to children
Children are given greater protection by requiring processes to determine the age of young data subjects and then to obtain the approval of an adult to establish consent.
Part three - Tightening the security net
Balancing responsibility between data controller and data processor
The existing rules around outsourcing are a bit of an anomaly, the service provider is not currently subject to the Data Protection Act, only the contract between the service provider and the controller regulates the processor's compliance. GDPR addresses this issue with an increased compliance burden on the data processor.
Mandatory security breach reporting
Significant security breaches must be reported to the Information Commissioner within 72 hours of becoming aware of the incident. In some cases, where the individual can take action to protect themselves, for example by cancelling a debit or credit card, the security breach will have to be announced to data subjects.
Audit rights for Information Commissioner
For the first time under GDPR the regulator, the Information Commissioner in the UK, will have the right to audit private organisations to check compliance. Long considered a toothless watchdog, the ICO gains significant teeth.
The penalties for non-compliance are massive, up to twenty million euros or four percent of annual global turnover whichever is greater. Do not think there is no appetite for fines at this level, the Council of Ministers in the European Council deliberately increased the maximum level of fines from a lower figure in the first draft of GDPR.
So, there you have an overview of the new data protection regime which takes effect from 25 May 2018. Organisations are forced to adopt a risk management approach to data protection compliance, data subjects are put at the heart of compliance and the security net for personal data is tightened.