GDPR – What’s new?
The EU’s General Data Protection Regulation (“GDPR”) is the single most significant piece of data privacy legislation passed by the European Parliament in the last two decades. It has a significantly broader scope than the existing legislation and introduces a tiered penalty system for non-compliance, with fines as high as 4% of annual global turnover or EUR 20m whichever is the higher.
The GDPR will come into force in all EU member states from 25 May 2018 without the need for any additional local legislation implementing it. As regards the post-Brexit UK, in a recent paper entitled “Cyber Security Regulation and Incentives Review”, the Government confirmed that implementation of the GDPR will not be affected by the UK’s decision to leave the EU.
Therefore, at least in the short-term, all UK based organisations will have to adapt to the new requirements. It is also likely that any future developments in the UK’s regulatory approach towards cyber security will seek to maintain some form of equivalence with the EU’s model.
In this note, we set out briefly the key features of the GDPR and the differences between the GDPR and its predecessor, the Data Protection Directive 95/46/EC (“Directive”) which was implemented under UK law by the Data Protection Act 1998.
The Scope of the GDPR
The GDPR is aimed at organisations processing personal data either as controllers (i.e. those with the interest in processing the data) or as those processing on behalf of controllers (i.e. data processors). Whilst the definition of “personal data” under the GDPR is not fundamentally different from that under the Directive, it expressly expands the scope of the law to “online identifiers” and “location data”.
From a practical perspective, these changes are not surprising and merely bring the codified law up to date with technological advancements and the existing judicial trends and guidance. Nonetheless, as the technology progresses, it is inevitable that further types of data will challenge these newly introduced terms.
Sensitive Personal Data
This category has now been expanded to include “genetic” and “biometric” data. Whilst the former is likely to be limited mainly to organisations engaged in clinical analysis, biometric data such as face images, voice recordings and fingerprints, is increasingly used by commercial entities for user authentication purposes.
Organisations involved in the processing of sensitive data will need to give particular consideration to additional consent conditions in Article 7 of the GDPR and ensure that proportionate measures are implemented to protect the sensitive personal data from unauthorised access.
Finally, Article 9 of the GDPR allows for additional regulation of biometric, genetic and health data at a national level. Therefore, in each case local legal advice may be required.
“Pseudonymisation” lies at the core of the “privacy by design” and “data protection by default” concepts introduced by the GDPR. However, in practice it will not be entirely new to many organisations.
Briefly, pseudonymised data is personal data which does not allow for identification of an individual without the use of additional information stored separately (preferably in a different encrypted medium). Given the relative ease with which data can be pseudonymised and the reduced risk of damage – in the event of an unauthorised access – pseudonymisation is likely to grow and become standard practice.
The Data Processors
The GDPR imposes direct obligations not only on data controllers but also on the data processors.
This constitutes a significant change to the relationship between data controllers and their suppliers and will inevitably have an impact on contractual negotiations and due diligence.
The GDPR applies to organisations established within the EU and also to those non-EU organisations which either offer goods or services (including for free); or monitor individuals, in the EU.
This significant expansion of the EU’s privacy laws may be unsurprising in view of some of the decisions previously issued by the Court of Justice of the European Union (“ECJ”) – such as the well-publicised “right to be forgotten” case against Google Inc, a US corporation, in which the ECJ ordered Google to remove links to information related to a Spanish citizen, or the Weltimmo (Case C-230/14) in which it was held that incorporation is not a pre-requisite to being “established” in another EU state.
On the other hand, the concept of monitoring individual online activity is a new concept and potentially very broad – particularly in the context of the level of detail required for the data collected to amount to individual profiling.
Non-EU organisations caught by the GDPR should carefully consider whether one of the exemptions set out in Article 27 of the GDPR applies. If not they will have to nominate an EU representative.
There are several new changes to the governance regime.
Article 5 of the GDPR lists the fundamental principles which must be observed when processing personal data. These are broadly the same as under the Directive with the addition of an obligation to be able to demonstrate compliance with the principles.
Data Protection Officers
Public bodies (other than courts) and data controllers and processors whose “core activities” involve either “regular and systematic monitoring of data subjects on a large scale” or processing of sensitive personal data and “personal data relating to criminal convictions and offences” on a “large scale” will have to appoint a data protection officer (“DPO”).
The DPO must be an expert in the fields of “data protection law and practices” and may be either employed or contracted. Organisations will be under a duty to ensure that the DPO is involved “properly and in a timely manner in all issues which relate to the protection of personal data” with direct reporting access to the “highest management level”.
The status of the DPO will be protected. Article 38 provides that the “controller and processor shall ensure that the [DPO] does not receive any instructions regarding the exercise of those tasks. [The DPO] shall not be dismissed or penalised by the controller or the processor for performing his task.”
Whereas this requirement may not be new to some businesses, particularly those operating in countries in which the DPO appointment has been required previously as a matter of national law, many organisations will have to analyse closely the nature of their activities and operational scale to determine whether a DPO needs to be appointed.
Privacy by Design
The GDPR requires that controllers implement “appropriate technical and organisational measures” to protect personal data both at the time of determining the method for processing and continuously throughout the process.
In practice, this means that organisations should ensure that personal data is processed only when necessary and that where anonymised data cannot be used other measures such as pseudonymisation are implemented.
Data Protection Impact Assessments
Section 3 of the GDPR makes it compulsory to conduct a data protection impact assessment (“DPIA”) before processing personal data which is likely to result in “a high risk to the rights and freedoms of natural persons”. Article 35(3) provides a non-exhaustive list of examples of what constitutes high risk processing. This, for instance, includes personal profiling and a “large scale” processing of sensitive personal data.
As a minimum, the DPIA will have to contain:
- description and the purpose of processing;
- “an assessment of the necessity and proportionality of the processing”;
- “an assessment of the risks to the rights and freedoms of data subjects”; and
- “the measures envisaged to address the risks (…)”.
The data security obligations set out in Article 32 of the GDPR require data controllers and data processors to make an assessment of the personal data processed and employ “appropriate technical and organisational measures” to protect it.
Organisations will now be held fully accountable for any shortcomings. Article 33 requires that all breaches which are likely to result in “a risk to the rights and freedoms of natural persons” must be reported.
The reporting obligations apply to both data processors, who are obliged to notify data controllers of the breach without undue delay, and to data controllers – who must in turn report the breach to their supervising authority without undue delay, and where feasible no later than within 72 hours after the discovery.
The GDPR further sets out information which needs to be submitted as a part of the notification. As a minimum, this includes the nature of the breach, the likely consequences of the breach and the mitigating measures proposed or taken by the controller to address the breach.
In addition, unless the data controller can demonstrate that the compromised data was sufficiently protected (whether before or, by way of mitigation, after the breach); or it would be disproportionate to do so, the data controller will be obliged to notify the relevant individuals of the breach.
In practical terms, the impact of obligations imposed by Articles 32, 33 and 34 of the GDPR will be profound:
- firstly, businesses will have to ensure that their IT systems are proportionate to the nature of the personal data held. This will be an on-going process evolving in line with the nature of cyber threats;
- secondly, clear procedures will have to be established in relation to prevention and management of breaches as well as post-breach response including timely and compliant notification to the relevant supervising authority;
- thirdly, particular consideration will have to be given to the emergency response team itself. It is reported that a significant and growing proportion of breaches are initiated by insiders legitimately connected to the organisation’s IT systems;
- fourthly, reporting obligations to both regulatory authorities and individuals affected by the breach will increase the likelihood and time within which a breach attracts media attention and appropriate responses should be developed in advance.
In view of the complexity of cyber-attacks and the significant financial and reputational ramifications organisations should consider early involvement of external experts including cyber forensics experts, PR consultants and lawyers able to minimise the internal and external damage as well as preserve any evidence.
The framework for transfers of personal data to organisations located outside the EU under the GDPR remains largely the same as under the existing Directive. However, organisations will want to take note that non-compliant transfers will now leave them open to the highest level of fines – up to EUR 20m or 4% of annual worldwide turnover in the case of an “undertaking” (effectively any entity engaged in an economic activity).
The EU Commission’s existing list of countries recognised as employing adequate protections will remain valid – including the EU-US Privacy Shield arrangement approved on 12 July 2016.
The existing mechanisms for transfers to other non-approved third countries will remain in force with two additional alternatives. Namely, subject to binding and enforceable commitments from the recipient in the third country to adopt appropriate safeguards, organisations will be able to rely on approved codes of conduct or approved certification mechanisms.
Finally, where a transfer cannot be justified on the grounds of recognition by the EU that the country or organisation to which data is to be transferred ensures an adequate level of protection or appropriate safeguards, Article 49 of the GDPR provides a list of “derogations” i.e. specific circumstances in which transfer may nonetheless take place. These grounds are broadly similar to those found in the Directive with a new last resort exception which can only be relied upon where other derogations cannot be applied. In order to rely on the derogation the controller will need to satisfy a number of conditions including “self-certifying” that suitable safeguards exist.
Enforcement and Sanctions
The enforcement of compliance with the GDPR will be conducted by the supervising authorities in individual member states, albeit a rather procedurally complex mechanism also exists for cooperation between different supervising authorities where multiple member states are involved (Articles 60 to 66).
On an individual level, the GDPR equips the authorities with a wide range of investigative and corrective powers. Those controllers and processors who are found to be in breach of the GDPR may face a range of consequences, the most severe being a limitation or a complete ban on personal data processing and/or a fine.
Although fines are not compulsory, Article 83 of the GDPR provides that they “shall in each individual case be effective, proportionate and dissuasive.” The maximum amounts which can be imposed depend on the particulars of breach and can range from:
- fines up to EUR 10m or, in the case of an undertaking, 2% of the total worldwide turnover, (whichever is the higher) for breaches of specific obligations of controllers and processors and certification and monitoring bodies;
- fines up to EUR 20m or, in the case of an undertaking, 4% of the total worldwide turnover (whichever is the higher) for breaches of individual’s rights, unauthorised transfers outside the EU, failure to comply with an order issued by the supervising authority and breach of any of the basic principles.
For further details please refer to Article 83(4) and (5) of the GDPR.
The severity of financial penalties will undoubtedly be of concern to all organisations but will need to be particularly closely considered by complex corporate groups which may be subject to the higher revenue based penalty – some of the past ECJ decisions suggest that the definition of “undertaking” with reference to which the GDPR penalty assessment would be made is wide enough to capture parent companies.
Although the GDPR will come into force in all member states on 25 May 2018 without the need for any implementing local law, member states have been provided with powers to regulate a number of areas at a national level. The relevant provisions are Article 23, which provides states with a right to derogate in matters such as national security and civil and criminal enforcement; and Articles 85 to 91 which give power to regulate in relation to “specific data processing situations” such as “freedom of expression and information” and “employee data”.