The General Data Protection Regulation (GDPR) is scheduled to take effect in the UK from 25 May 2018. In line with this, businesses are advised to prepare for compliance with the GDPR, and to be aware of further potential changes to data protection law once the UK formally leaves the EU.
The practical impact of the GDPR is an extensive and nuanced topic. This article provides a preliminary overview of some key practical measures that organisations can take to prepare for the Regulation’s implementation. A broader overview of the legislative background and impact of the Regulation can be found here.
Assessing an organisation’s status under the GDPR
Many concepts and provisions within the GDPR are similar to those within the existing Data Protection Act 1998 (or DPA). In particular, the definitions of ‘controller’ (being an entity which determines – either alone, or jointly with other persons – how and why personal data is processed), and ‘processor’ (being an entity which acts to process personal data on behalf of a controller), are broadly the same under the GDPR as under the DPA. However, notwithstanding any continuity between the DPA and GDPR, organisations still need to consider precisely how the GDPR may apply to their data protection processes.
Importantly, as well as applying to organisations that are established within the EU, the GDPR is also relevant to controllers and processors based outside the EU. More specifically, it applies where a controller or processor outside the EU processes the personal data of one or more ‘data subjects’ (i.e. individuals) from within the EU, in relation to offering goods or services, including where the relevant individual is not required to make a payment. Accordingly, large numbers of UK organisations will likely be subject to GDPR requirements – especially where such organisations have internet-based business models offering goods and/or services to consumers based in the EU.
Given the above, UK organisations would be well-advised to review their business models and data protection provisions in light of the forthcoming GDPR requirements. Further to which, the UK Information Commissioner has reiterated that where a personal data breach occurs under the GDPR, it will be mandatory for an affected organisation to report the breach to the Information Commissioner's Office (ICO) without undue delay and, where feasible, no later than 72 hours after becoming aware of it. As such, organisations should be particularly attentive to the roles, responsibilities, and processes they have in place for reporting data breaches.
Compliance with the GDPR accountability principle
Unlike the existing EU Data Protection Directive, the GDPR includes a standalone principle of ‘accountability’. In line with this principle, controllers are required to be responsible for, and demonstrate compliance with, GDPR requirements regarding the processing of personal data.
In particular, the GDPR requires controllers to design and implement internal data protection policies and measures which provide an ‘appropriate’ level of security. Therefore, it is important that affected organisations are pro-active in establishing and maintaining appropriate data protection measures. Moreover, for certain breaches of the GDPR, the ICO can impose fines of up to 4% of annual worldwide turnover or €20 million, whichever is higher.
Accountability – Evidencing compliance:
Ultimately, the definition of an ‘appropriate’ level of security is fairly broad and, to some extent, will depend on the specific risks a controller is facing. However, there are certain data protection measures which organisations can utilise to help demonstrate compliance with the GDPR, including the following: -
- Measures to protect the confidentiality of personal data, including anonymising such data.
- Measures providing for the integrity, availability and resilience of data processing systems, including installing and maintaining back-up systems to ensure the continued and timely availability of personal data.
- HR-based measures, including staff training, internal audits of processing activities, and reviews of internal HR policies.
- Checking that existing consents for the processing of personal data meet GDPR requirements and, if necessary, refreshing and re-obtaining such consents.
- Data minimisation measures – Safeguards to minimise: the amount of data collected, the extent of any processing, the period for which the data is stored, and the accessibility of the data.
- Informing an individual of the potential processing of their personal data before it is collected.
- Providing an individual with a copy of their personal data on request.
- Allowing individuals to monitor processing of their personal data.
- Appointing a data protection officer (DPO).
- Undertaking data protection impact assessments (DPIAs).
- Finally, and more generally, designing and initiating a process for regularly testing the organisation’s chosen data protection measures, and maintaining relevant documentation on processing activities.
In summary, it is important for UK organisations to fully review their data protection processes and business models prior to the GDPR coming into effect on 25 May 2018. In particular, the ICO has put the onus on organisations to take responsibility for reviewing and, if necessary, adapting their data protection provisions to cover GDPR requirements. Furthermore, organisations also need to consider the substantial penalties that can be imposed for breaching the GDPR.