On 25 May 2018 – the General Data Protection Regulation (GDPR) will replace the current Data Protection Act 1998 (DPA). The principles of GDPR are very similar to those of the current DPA, however there are new elements and significant enhancements, so businesses of all sizes will need to take steps to ensure they comply with the regulations as this will have an impact on the way any entity collects, stores and processes personal data.
It is essential to consider your approach now to ensure sufficient time to put in place any new procedures.
Key principles of the GDPR
The regulations are detailed and will require much analysis for any affected organisation but we have picked out some key information below to help with any initial review.
“This is the biggest change to data protection law in a generation.”
Elizabeth Denham – ICO Information Commissioner
The key principles of the GDPR are that personal data* should be: –
- Processed lawfully, fairly and in a transparent manner.
- Collected for specified, explicit and legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Accurate, and where applicable, up to date.
- Kept in a form which permits identification of individuals for no longer than is necessary.
- Processed in a manner that ensures appropriate security.
The key new principle is that of accountability – you must show how you comply with the above principles. You must enshrine privacy by design and have proportionate governance processes in place to ensure accountability at all levels of an organisation. The GDPR widens the scope of the existing DPA to cover data on all EU subjects, irrespective of where the data processing actually takes place.
*Personal data is any information which can be linked through to an identifiable person. Personal data is defined largely in the same terms as under the existing DPA, the main changes are to add specifics such as IP address, genetic and location data.
The guidance around consent is now clearer. To have consent, you must have some form of clear positive action. Inaction, pre-ticked boxes or silence do not constitute consent. Consent must be verifiable and recorded and any individual must retain the right to withdraw consent at any time. If existing consents meet these requirements, it will not be necessary to re-obtain consent from existing individuals.
It is important to consider this knowing that the ICO has recently fined several high profile companies including Morrisons and Honda for failing to follow data protection rules. Charities have also been in the firing line with 13 household name charities fined for mistakes made largely in the obtaining of consent from donors. The fines totalled £171,000 but these were heavily discounted from the maximum fines the ICO could have imposed. All of these fines were imposed on the basis of not meeting existing DPA requirements.
The ICO is currently preparing some specific guidance for charities on obtaining consent from donors having put our proposals to consultation earlier this year. We expect to see the final guidance during the summer. It is expected that consent will need to be ‘granular’ in nature and it will not be permissible to apply ‘catch-all’ consent statements.
There is a significant increase in fines that can be imposed under GDPR for non-compliance. For some breaches including failing to obtain valid consent, fines can be up to 4% of annual worldwide turnover or 20 million Euros (whichever is greater). Other breaches can results in a fine of 10 million Euros or 2% of annual worldwide turnover. The significance of these potential fines should incentivise businesses of all sizes to ensure they comply with the GDPR by the 25 May 2018 deadline.
Rights of individuals
The GDPR goes beyond the DPA to give explicit rights to all individuals of the following:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights in relation to profiling / automated decision making
It is important to note the GDPR states that children aged under 13 cannot give consent, those aged 16 or older can freely given consent, and there is some national flexibility for those in-between, for which the ICO has yet to offer a viewpoint although it is expected to confirm that parental consent will be required for all children under 16 years old.
When things go wrong
The GDPR introduces a duty to report personal data breaches to the ICO (in the UK). A breach can refer to the destruction, loss, alteration, unauthorised disclosure or access to personal data. Where such a breach is likely to have an effect on the rights and freedoms of an individual it must be reported to the regulator, you also have to notify those individuals concerned directly if the risk is high. Breaches must be notified within 72 hours of an organisation becoming aware, failure to notify in itself can result in a fine of 10m Euros or 2% turnover, whichever the greater, (the other tier of fines runs at 20m Euros / 4% turnover). This reporting window is relatively short where for example in a charity a board meeting may need to be called to review a breach to decide if it is reportable, you must therefore ensure you have robust procedures around the internal reporting of potential breaches.
Steps a business owner should take now
The ICO has put together GDPR – 12 steps to take now which providers a checklist for businesses to ensure they are prepared for the 25 May 2018 deadline.
- Awareness – be aware that the law is changing to GDPR and appreciate the impact
- Information you hold – document what personal data you hold, where it came from and who you share it with
- Communicating privacy information – review current privacy notices and plan any necessary changes
- Individual rights – check procedures to ensure they cover all the rights individuals have
- Subject access requests – update procedures and plan how you will handle requests
- Lawful basis for processing personal data – identify and document your processing activity
- Consent – review consent practices and refresh if they don’t meet GDPR standard
- Children – consider whether you need to verify individuals’ ages and to obtain parental consent for any data processing
- Data breaches – put in place procedures to detect, report and investigate a personal data breach
- Data Protection by Design and Data Protection Impact Assessments – familiarise yourself with the ICO’s code of practice.
- Data Protection Officers – designate someone responsible for data protection compliance
- International – determine your lead data protection supervisory authority (ICO in the UK)
Steps a charity should take now
The board will need to consider the issue formally and appoint a trustee or staff member to be responsible for compliance (you may also need to consider appointing a data protection officer), you will also need to consider a budget for the potential costs to ensure compliance. Secondly, a process will need to be undertaken to review any potential ‘gaps’ in compliance and further identify the options to plug these gaps. Ensure policies and procedures are in place to cover collection and processing of personal data and to report breaches. Ensure the review covers all areas where personal data is held, from HR to finance, to operations and fundraising. If deemed necessary you may need to arrange staff and trustee training and engage professional advisers to ensure the GDPR framework becomes embedded in everything the charity does. You will need to review where the charity uses third party data processors, at a basic level this could include payroll providers, at a higher level other charities or overseas partners involved in delivering the programs of the charity. Lastly, the board will need to consider going beyond the GDPR requirements, applying best practice and considering what other areas could be reviewed (“while the drains are up”).
Should you care?
Yes! Compliance with data regulations may at first glance appear uninteresting and bureaucratic but it is vital for any organisation within the scope of GDPR to ensure compliance by 25 May 2018 – this will ensure the entity does not end up with a fine from the regulator, and more importantly that it maintains its reputation.
Affected organisation could look upon this as an excuse to update systems and processes, to improve data practices and in fact get more out of the data they do hold. It is also a good opportunity to review IT systems and ensure these are robust against outside intrusion.
For more information the impact of GDPR and your business data, contact a Menzies team member for any professional advice.