The General Data Protection Regulation (EU) 2016/679 (GDPR) is an EU regulation which came into effect on 25 May 2018 and has set a new benchmark for the processing of personal data. It applies to any organisation that is processing the personal information of data subjects inside the EEA. The Data Protection Act (DPA) 2018 sits alongside the GDPR and tailors how the GDPR applies in the UK.
As a European regulation, the GDPR is directly binding and applicable in the UK until it finally leaves the EU at the end of the transition period, i.e. 31 December 2020*. Whilst the GDPR will, in principle, no longer apply to the UK from the end of the transition period, if your organisation operates inside the UK, you will still be required to comply with UK data protection law. The UK Government has indicated that it intends to incorporate the GDPR into UK data protection law from the end of the transition period. As such, it is anticipated there will be little change to the core data protection principles, rights and obligations found in the GDPR.
The purpose of the GDPR is to harmonise and standardise data protection laws across all the EU member countries, as well as providing greater protection and rights of individuals (data subjects) over the processing of their personal data.
The GDPR is underpinned by 7 principles (or 6 plus one, as some refer to them) which lay out the broad purposes of the GDPR.
What are the 7 GDPR principles?
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Storage limitation
• Integrity and confidentiality (security)
The principles, with the exception of accountability, are largely the same as those that existed under previous UK data protection laws, e.g. DPA 1998. If your organisation acts as a controller or processor of personal data, you must implement appropriate technical and organisational measures to ensure the data protection principles are adhered to. In other words, your information systems must be designed with privacy in mind. Under the accountability principle, your organisation is responsible for complying with the GDPR and for being able to demonstrate your compliance. One of your duties, for example, is to report certain types of personal data breach to the relevant supervisory authority, namely the Information Commissioner’s Office (ICO) in the UK. You must also report, where feasible, within 72 hours of becoming aware of a breach. The failure to notify a breach can result in a heavy fine of up to 10 million euros or 2 per cent of your global turnover, therefore it is important to have robust breach detection, investigation, recording and internal reporting procedures in place.
Your organisation must ensure that it processes personal data under one of the 6 lawful bases specified by the GDPR.
What are the 6 lawful bases?
• Public task
• Vital interest
• Legitimate interest
• Legal requirement
Of the 6 bases above, no one carries greater weight or importance than any other. The basis you choose as being most appropriate will depend on your purpose and relationship with the data subject. With most lawful bases, there is a requirement that processing is ‘necessary’ for a specific purpose. If you can ‘reasonably’ achieve the same purpose without the processing the personal data, you won’t have a lawful basis. It is important that you determine your lawful basis before you begin processing, and you also need to document it. In addition, you need to include your lawful basis for processing, along with the purposes of the processing within your privacy notice. Care should be taken when gaining consent for processing as it may not be valid if the data subject is not fully informed and must be capable of being withdrawn. If your purpose for processing changes, and you need to use existing personal data you hold for a new purpose, you can only continue using the original lawful basis if your new purpose is compatible with the original reasons you collected it, (unless your original lawful basis was consent). Also, beware if you are processing special category or criminal conviction data, as you will need to identify an additional condition for processing these types of data. If you process criminal conviction data or alleged offences, you will need to check whether you are permitted to do so – a second EU regulation (EC 2016/680) applies to law enforcement agencies.
Your organisation must also respect the rights of data subjects as set out in the GDPR.
The 8 rights are:
• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• rights around automated decision making and profiling
* Once the transition period ends, the UK becomes a third country and its ongoing relationship with the EU will be based on an adequacy decision at the European Commission. If the Commission determines that the UK has an adequate level of data protection by the end of the transition period, the free flow of personal data to the UK from the EU can continue uninterrupted.
How do you Comply with the GDPR Principles?
Lawfulness, fairness and transparency
Under this principle, your organisation must, first and foremost, ensure your data collection and data processing practices are lawful and you are not doing anything with personal data which will breach any laws. You must, for example, identify what is your ‘lawful basis’ for collecting and using personal data. In order to be fair, you must not process personal data in a way that is unduly detrimental, unexpected or misleading to the data subjects concerned. In order to meet the transparency requirement, you need to be clear, open and honest with data subjects on what, how and why you are processing their personal data. Your privacy notice is an ideal vehicle for communicating this.
*If you are looking to use personal data for a new purpose, we would recommend in the first instance that you conduct a data protection impact assessment (DPIA).
Sitting alongside the purpose limitation principle, you must ensure the personal data you are processing is adequate, relevant and the minimum necessary to meet your stated purpose. In other words, do not collect any information that is not needed. The less information you are collecting and processing will help you keep it up to date and accurate (see next principle!) and will help to limit any damage in the event of a data breach. In addition, it is worth noting that the less you hold, the less you need to disclose on a data subject access request and the easier it is to maintain effective records management.
Maintaining the accuracy of personal data you process is another principle that has been at the heart of data protection legislation for some time. The ICO states that your organisation needs to ‘take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact’. Furthermore, if you become aware that any personal data is incorrect or misleading, you are expected to take all reasonable steps to correct or erase it as soon as possible and without delay. The right of a data subject to request that inaccurate or incomplete data be erased or rectified is one of the 8 rights that data subjects have under the GDPR. It is important, however, to validate ‘inaccuracy’ claims before making any changes and sometimes you may need to restrict processing until an accuracy dispute is settled.
Quite simply, you must not retain personal data any longer than required for the purposes defined and agreed for processing. Wherever possible, you should develop a policy stating standard retention periods to comply with documentation requirements. Furthermore, you need to be reviewing the personal data you hold at regular intervals and erasing or anonymising it when you no longer need it. As the ‘right to erasure’ is one of the key data subject rights under the GDPR, you must carefully consider any challenges to your retention of data and be able to defend your retention periods. It should be noted that the GDPR allows longer storage time if you are processing personal data for public interest or scientific purposes.
Integrity and confidentiality
Integrity and confidentiality (along with availability) represent the main pillars upon which good information security is built. Personal data under the GDPR must be “processed in a manner that ensures appropriate security of the personal data”. The use of the word ‘appropriate’ should be noted, as the GDPR acknowledges that measures and controls will vary between organisations and sectors. The ICO picks up on this by stating that when considering what is appropriate, you need to consider risks “in relation to the nature, scope, context and purpose of your processing”.
The GDPR, however, specifically refers to protecting personal data against “unauthorised or unlawful processing and against accidental loss, destruction or damage.” As such, your organisation needs to be ensuring it has effective access control in place and it is commensurate with the personal data you are processing. We would recommend, however, that you start by conducting a risk assessment, which will determine what you should be prioritising in the way of risk treatment activities, including technical controls such as cryptography and pseudonymisation of personal data, along with organisational and physical controls. ISO 27001 and ISO 27701 provide excellent risk-based frameworks to assist you in determining appropriate systems and measures you should have in place.
It is the principle of accountability that really differentiates the GDPR from previous data protection legislation including the DPA 1998. Under this principle, your organisation is not only held accountable or responsible for your processing of personal data in line with the requirements of the GDPR, but also for having the appropriate measures and records in place to be able to demonstrate (or prove) your compliance with the Regulation. Some of the controls that your organisation can (and in some cases must) implement in order to meet the requirements of the accountability principle include:
• Adopting a data protection by ‘design and default’ approach
• Conducting DPIAs, particularly where processing of personal data is likely to result in a high risk to individuals’ interests
• Developing and implementing data protection policies and processes
• Implementing appropriate security controls (as per integrity and confidentiality principle above)
• Maintaining documentation of your processing activities
• Ensuring you have written contracts in place with organisations that process personal data on your behalf
• Developing and delivering training and awareness programmes for your staff
• Adhering to relevant codes of conduct and complying/certifying with management system standards, e.g. BS 10012 and ISO 27701
• Appointing a data protection officer*
• Recording and, where necessary, reporting personal data breaches.
*Obligatory if you are a public authority or body, or if you carry out certain types of processing activities (e.g. large scale, high-risk, or activities involving the monitoring of data subject behaviours/profiling which is considered privacy intrusive).
It is worth noting that complying with the accountability principle is an ongoing obligation and requires you to regularly review and update measures, as required, across all stages of processing. Being fully accountable and maintaining systems and documentation, however, will help provide mitigation if you are ever the subject of an investigation into a data breach. It is also important to remember that data breaches do not just relate to data loss or disclosure; an administrative breach (such as failing to adhere to the principles and rights of the GDPR) can also result in significant fines being imposed by the supervisory authority (ICO in the UK).
URM can assist you in a number of ways to comply with the GDPR and DPA. Let us help you!