Preparing for the General Data Protection Regulation

31st January 2017

Are you ready for the general data protection regulation?

From 25 May 2018, all organisations will need to comply with the General Data Protection Regulation (GDPR).  Whilst the GDPR is EU law and therefore potentially affected by Brexit, the UK Government has confirmed that the UK will be implementing the GDPR.  It is possible that in the post-Brexit world the UK Government may take the opportunity to revisit aspects of the GDPR but the GDPR represents the “gold standard” in global privacy protection and global privacy laws are likely to move towards the GDPR not away from it.  As the UK’s Information Commissioner has recently commented: “The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive.  Growth in the digital economy requires public confidence in the protection of this information.”

What is the GDPR?

The GDPR is a single new data protection law for the whole of the EU.  It’s the biggest reform of data protection law for decades and represents a significant strengthening of, and upgrade to, the current data protection rules.

Even if you feel confident dealing with the existing Data Protection Act, the GDPR will bring big changes and make good data protection compliance even more important.  The GDPR retains the basic tenets of existing data protection law.  For instance, personal data must only be processed in line with a set of principles, and in accordance with specific conditions (the principles and conditions are similar, but not quite identical, to the existing law).  There are obligations on controllers to provide fair processing information to individuals and to comply with subject access requests.

There will also be plenty of changes.  There will be tighter rules for processing personal information, enhanced rights for individuals and direct obligations on data processors (those who process personal data on behalf of the data controller, for example, outsourcing providers).  Crucially, the consequences of getting it wrong will be much more severe, with fines of up to €20 million or 4% of worldwide turnover, as well as compensation claims from individuals.

What should you be doing now to prepare?

May 2018 is fast approaching, so organisations that haven’t already done so should start preparing for the changes.

We have summarised in the table below some of the key changes under the GDPR, together with actions you can take now to ensure that your organisation is ready:

Key changes in the GDPR:Actions to take now:
Being more transparent with individuals.  The GDPR requires controllers to give individuals more information at the time their data is collected – this includes explaining the legal basis of your processing, your data retention periods, and that individuals have a right to complain to ICO.  There are also additional obligations whenever you seek consent from an individual to the processing of their data.Review your customer-facing terms and your privacy policies.  These are likely to need substantial revisions to meet the new requirements.  If you are relying on customer consent to legitimise your processing, check that the method of obtaining consent will meet the new rules – note that under the new rules the data subject can withdraw their consent at any time.  If not, can you rely on an alternative condition for processing?
Demonstrating your compliance.  An overarching theme of the GDPR is the principle of ‘accountability’.  There are new requirements on controllers (and processors) to demonstrate their compliance by fully documenting all their data processing activities.  Organisations may be required to carry out data protection impact assessments and implement privacy-by-design and privacy-by-default techniquesConsider what records you keep of your decision making and your processing activities.  Can you demonstrate your compliance?  Review your contracts with processors to ensure that they have robust provisions around record-keeping.  If you don’t already use them, think about introducing data protection impact assessments for new projects – these are a requirement of the GDPR where the proposed processing is high risk.
Mandatory breach notification.  Controllers will have 72 hours to report a data protection breach to the Information Commissioner’s Office (ICO) and, where the breach is likely to result in a high risk to individuals, they must also notify individual data subjects without undue delay.Review your internal systems to ensure that you can meet the new breach notification requirements.  Review your processor contracts to ensure they contain obligations to report breaches to you.
Appointing a Data Protection Officer.  Companies that process large volumes of data as part of their core activities will be required to appoint a ‘Data Protection Officer’, as will public bodies.  This will be a statutory role (with appropriate employment protections), reporting directly into senior management, with specific functions set out in the GDPR.Decide whether you need to appoint a Data Protection Officer.  If you do, think about who is best placed within your organisation to take on the role.  Alternatively, explore whether you could outsource the DPO role under a service contract.
Much higher penalties when things go wrong.  Companies will face much stiffer penalties for non-compliance.  Under the GDPR the regulator will be able to issue administrative fines of up to the higher of €20 million or 4% of worldwide turnover, a very significant increase on the current monetary penalties (which are limited to £500,000).Ensure that the risk of penalties for non-compliance with the GDPR are fully understood at senor management / board level.  Consider what measures you can take to reduce these risks.  Review your processor contracts to ensure that liability is adequately flowed down.
Direct obligations on processors.  Under existing data protection law, the controller is solely responsible to data subjects and the ICO for compliance, and the processor is only liable under contract to the controller.  By contrast, the GDPR imposes direct obligations on processors, such as to take appropriate security measures to protect personal data, and maintain certain records of all processing activities.  The ICO will be able to impose administrative fines on a processor in the event of a breach of these processor obligations under the GDPR.  Individuals (data subjects) will also be entitled to receive compensation from processors where the processor acts in breach of its obligations under the GDPR or where it has acted outside or or contrary to lawful instructions of the controller.Map out all your arrangements with data processors, such as outsourced services and cloud suppliers.  The direct obligations on processors will affect all of your service providers who process personal data, so you may find they want to renegotiate terms to reflect the increased risks.  Consider whether your organisation is acting as a processor on behalf of anyone else.  If so, you will need to comply with the direct obligations under the GDPR.  This could have significant implications for groups of companies which provide services to each other.
Enhanced rights for individuals.  The GDPR includes a suite of rights for individual data subjects.  In addition to subject access rights, which are retained from the current law, but with some important changes, individuals will have the right to receive their data in a commonly used and machine- readable format (the right to data portability) and the right to have their data erased (the right to erasure – also called the “right to be forgotten”).Review your process for responding to subject access requests and make any changes necessary to comply with the new rights for individuals.  Consider whether you need to change your communications with individuals to ensure they are aware of the new rights.
New(-ish)  rules on data transfers.  The current law restricts transfers of personal data outside the European Economic Area.  This has become a major talking point since the demise of ‘Safe Harbor’, the introduction of the EU-US Privacy Shield and the implications of Brexit.  The GDPR repeats much of the existing law in this area and in some circumstances narrows the scope for organisations to legitimise transfers of personal information outside of Europe.Take stock of your data export activities.  Whilst the GDPR does not offer any easy solutions,  it is important to understand your level of risk and ensure that each of your export arrangements has a legitimate basis.
Foreign Regulators.  Where organisations offer services in more than one EU member state, they will be subject to regulatory enforcement from data protection supervisory authorities in other jurisdictions where customers are located.  Organisations will be subject to a ‘lead’ authority and there will be a mechanism to ensure that decisions are made consistently across jurisdictions.The lead supervisory authority will be the regulator in the country where you have your ‘main establishment’.  Consider where this is and identify the lead authority.  Keep a close eye out for guidance issued by your lead authority (which will be the ICO for organisations with their main establishment in the UK).
Children.  For the first time there will be specific data protection rules applying to children with an age of consent for the processing of children’s personal data.  It is likely the UK will set this age of consent at 13.If you collect information about children (likely to be defined for data protection purposes as those under 13) then you may need a parent or guardian’s consent to process their personal data lawfully.  Consent must be verifiable and privacy notices must be written in language that children will understand.

How we can help you prepare for the GDPR

Blake Morgan’s expert lawyers can assist you every step of the way in getting ready for the GDPR.

We would be very happy to support you by:

  • Discussing how the GDPR may affect your business
  • Advising you on the steps to take to gear up for the GDPR
  • Carrying out data protection audits in your organisation
  • Drawing up a comprehensive plan for your GDPR compliance project
  • Reviewing and amending your existing customer-facing contracts, privacy policies and fair processing notices
  • Advising on customer consent wording
  • Drafting data protection policies and procedures
  • Reviewing existing contracts and drafting data protection clauses for new contracts
  • Supporting your Data Protection Officer

We can also provide a range of bespoke data protection training courses to suit your needs.

Blake Morgan is the only law firm accredited to provide the BCS Certificate in Data Protection course, which is an intensive five-day course leading to a professional qualification (on successful completion of an externally marked exam).  This qualification is ideal for anyone with data protection responsibilities, particularly those taking on the Data Protection Officer role under the GDPR.

Blake Morgan’s data protection and information governance expertise

We provide pragmatic advice on data protection and information governance law for organisations across the private and public sectors.  As well as GDPR compliance, we help clients understand their existing obligations, implement appropriate systems for compliance and manage specific challenges as they arise from time to time.

We provide well informed, practical advice in connection with information requests made under the Data Protection Act, handling investigations by the Information Commissioner’s Office (ICO) and managing potential data security breaches.

As well as providing legal advice on data protection and information governance issues, our expert lawyers provide guidance on:

  • Confidentiality and non-disclosure agreements
  • Cross-border data flows and the cloud
  • Data protection audits and advice on information security and governance (including data retention, privacy impact assessments and privacy by design)
  • Data sharing and data processing agreements
  • Litigation disclosure rules
  • Marketing and privacy (including guidance on electronic marketing consent requirements and the use of cookies and apps)
  • Public procurement rights of access
  • Re-use of Public Sector Information Regulations
  • Sale and use of databases
  • Social media and confidentiality, including employment and related aspects such as bring your own device (BYOD)
  • Data breaches and cyber security

We have helped our clients

  • Advising a world leading UK charity on cross-border data flows and compliance with overseas legislation
  • Conducting a major data protection compliance project with a UK university
  • Acting for the claimant in high court proceedings arising from a contested subject access request
  • Advising on cross border data processing arrangements and related trans-border data privacy issues between the UK and US for an international bank
  • Working with a leading insurance claims management provider to put in place compliant and practical data sharing and processing arrangements
  • Advising a major price comparison website in connection with contractual arrangements with insurers and the drafting of online privacy notices
  • Guiding a leading fitness club through a self-reporting process to the ICO and related communication with members following a potential data breach
  • Drafting data sharing agreements for use between a utility company and individual local authorities and advising on the processes to be put in place when individual requests for data are made
  • Advising an international hotel chain in connection with international data sharing and consent requirements when engaging in e-marketing