The EU General Data Protection Regulation (GDPR) featured prominently in our recently released annual Startup Outlook report, and unsurprisingly so. Entering into force on 25 May 2018 after a two-year transition period, the GDPR is the most comprehensive reform of EU data security in 20 years and has considerable international ramifications. While opinions about the GDPR varied, the vast majority of our clients described what a huge impact it is having on their operations.
The Regulation affects any organisation, in any country, wishing to offer goods or services to EU citizens and residents or involved in the collecting, holding or handling of their personal data. And with the potential size of fines for breaches at up to €20m or 4% of annual global revenue, even tech titans have been forced to sit up and pay attention.
The GDPR is more complex than the 1995 Data Protection Directive it supersedes but the main thrust of it gives additional rights to data subjects and places additional obligations on data controllers. Here we highlight some of key points:
Consent and Transparency
The GDPR raises the bar of consent. The key language is that it must be “freely given, specific, informed and unambiguous”. Opt-in is now the default, with implied consent via pre-ticked boxes, default settings, inactivity and so on, no longer providing the required “clear affirmative action”. Only the minimum required data should be collected, and then used only for the purposes specified by the consent.
Article 9 covers special categories of sensitive personal data relating to details such as ethnicity, political persuasion, health and biometrics. These will require a higher level of “explicit” consent for processing. In both cases, existing consent that does not meet the GDPR standards will need to be refreshed.
Consent cannot be tucked away in T&Cs – small print is a thing of the past with GDPR consent. Withdrawing consent is now a specific right which has to be clearly explained and easy to do at any time. The UK’s Information Commissioner, Elizabeth Denham, discusses in a blog the lawful bases other than consent for the processing of personal data, such as “legitimate interests”. Whatever the basis, it will need to be clear, documented and demonstrable to the relevant DPA.
Legitimate Interest (LI)
For LI to apply it must be demonstrated, the processing involved shown to be necessary and the LI balanced against individuals’ interests, rights and freedoms. Legitimate interest assessments (LIA) should be carried out and retained to help demonstrate compliance.
Privacy notices and cookies
The ICO’s guidance on privacy notices states that for data processing to be fair, controllers have to make certain information available to data subjects. Most basically: who the data controller is; the purpose(s) for which the information will be processed; any further information necessary in specific circumstances.
Privacy notices need to strike a balance between being too simple or overly complicated and high level so that they fall short of transparency requirements. The use of cookies also needs to be considered in relation to consent and the personal data involved potentially contributing to the identification of an individual.
The right to be forgotten
Subjects have a new “right to erasure” under Article 17. At their request, superfluous, out-of-date, unnecessary or inaccurate data relating to them must be deleted. There are a number of other grounds for erasure and controllers have an obligation to erase personal data “without undue delay”. Controllers should consider whether such data has also been shared with third-parties and take appropriate action.
Privacy by design
Article 25 specifies privacy must be by design and default. Data controllers must build data protection considerations into operations and systems from the ground up. Data minimisation and purpose limitation are key data protection principles. Obligations also extend to accessibility and storage periods, so retention of personal data needs to be justified and people with access must also have cause to look at personal data. Requirements to hold data for statutory or legal purposes always override data protection.
Data protection obligations also apply to employees, board members, and so on, not just clients and customers. Who and what level of access staff have to the personal data of other individuals in your organisation must be considered.
Data Protection Impact Assessments (DPIA)
DPIAs are important tools for GDPR accountability, helping controllers to build and demonstrate compliancy. They are good practice but required to be carried out if you are using new technologies or processing is likely to result in a high risk to the rights and freedoms of individuals, such as systemic and extensive processing or large-scale processing of special categories of data.
Annex 1 of the ICO’s paper on big data, artificial intelligence, machine learning and data protection, contains practical advice on applying GDPR DPIA provisions in the specific context of big data analytics.
Data Protection Officers (DPO)
DPOs assist in maintaining data protection compliance but responsibility and accountability still resides with the organisation. They can hold other posts within an organisation but their different roles must not give rise to a conflict of interest.
The precise point at which it becomes essential to appoint a full-time DPO is undefined, but Article 37 states a DPO is mandatory if the core activities of controllers or processors consist of processing operations which require “regular and systematic monitoring” of data subjects on a large scale or large-scale processing of special categories of data.
It is up to DPOs to interpret the term “large scale” and whether it applies to individual cases but the Article 29 Working Party WP243 Annex makes recommendations for determining if processing is large scale.
Data Breaches
In the event of a data breach which has, or might have, an adverse effect on a data subject(s), controllers must report it to the relevant Member State’s DPA within a 72-hour time period from when the company becomes aware of it. Impacted individuals must also be informed within this timeframe. DPOs will be at the forefront in the event of a data breach and their contact details must be publicly available, for example on privacy policy pages. The Information Commissioner’s Office (ICO) is responsible for the enforcement of the GDPR in the UK.
New levels of accountability for data controllers and data processors
Data controllers determine the purpose, conditions and means of processing data. Data processors, such as a cloud hosting provider, direct marketing company or any third-party data sharer, process data on behalf of controllers. In the past, all responsibility for a failure came down to the data controller. The GDPR alters that, with data processors now sharing the burden of data protection. However, ultimate responsibility resides with the controller so the level of compliance that processors can demonstrate will be an important factor when selecting service providers.
What about Brexit?
In a nutshell, Brexit will not affect GDPR-compliance issues. The UK’s current Data Protection Act (DPA) 1998, based on the EU Directive, will be replaced by the Data Protection Bill (DPB), currently working its way through Parliament. The standards of the DPB will be in accordance with the GDPR and preserve existing tailored exemptions found in the DPA.
GDPR and the US
An International Association or Privacy Professionals (IAPP) report on achieving GDPR compliance found that although American respondents to the survey were struggling with the GDPR’s complexity, 84% of them expected to be GDPR-compliant by 25 May 2018.
Personal data can be transferred outside of the EU if the organisation receiving the data has the appropriate safeguards, for example binding corporate rules or certification under an approved mechanism, as provided for in the GDPR. The EU-US Privacy Shield is such a certification. The EU Commission made improvement recommendations relating to the practical implementation of the framework in its report on the first annual review of the Privacy Shield last October but found that it continues to ensure an adequate level of protection and maintained the adequacy decision. However, the Article 29 Working Party (WP29) identified a number of “significant concerns” and warned unless they were resolved by May 25th it could bring the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.
The future of data protection
The ICO describes its Guide to the GDPR as a “living document” and guidance is being provided by other DPAs and the Article 29 Working Party (to be replaced by the European Data Protection Board). In cases of interpretation, until there are test cases in courts of law it is hard to say what the precise parameters will be. It is clear that an ability to demonstrate compliance and all the steps taken to achieve it is essential.
Complying with the GDPR was described by one Startup Outlook respondent as “time consuming and onerous”, by another as an opportunity for their business with “nothing to change” for them, and a further as “a great challenge and an opportunity”. The GDPR certainly presents opportunities for various tech sectors, most obviously in RegTech, cyber security and identity verification. Ultimately, compliance will protect your business from the substantially more punitive fines that will be handed out to those who fall short of it.
Compliant businesses will also benefit from data subjects and controllers having greater confidence in engaging with them, as high-profile data breaches and wider privacy concerns focus minds and purchasing power on the issue.