Important aspects of the GDPR and items you and your clients will need to consider.
The European Union’s (EU) General Data Protection Regulation (GDPR, the Regulation) is the new EU data protection legislation that will replace the current Data Protection Directive, and the Data Protection Act 1998 (DPA) in the UK. The GDPR comes into effect on 25 May 2018 and the UK government has confirmed that the UK’s decision to leave the EU will not affect the implementation of the GDPR.
The Regulation has a broad territorial scope and is not limited to organisations located in the EU. It places obligations on controllers and processors that are either established within the EU, or located outside the EU where they offer goods and services to individuals in the EU or monitor the behaviour of individuals in EU. The GDPR may also apply to controllers and processors outside of the EU where an EU member state's law applies by virtue of public international law, for example a diplomatic mission.
The GDPR definitions of a controller and processor are similar to those offered in the DPA. A controller is a natural or legal person, public authority, agency or other body that alone or jointly with others determines the purposes and means of the processing of personal data. A processor on the other hand is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Affected data controllers and data processors should assess their operations and policies concerning data usage and its protection to ensure they are GDPR compliant.
GDPR affects all processor and controller organisations that process personal data. GDPR broadens the scope of the definition of personal data, which, for example, now expressly includes online identifiers such as IP addresses.
The GDPR imposes additional obligations and restrictions for the processing of special categories of personal data. Those categorised include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation.
The GDPR significantly increases organisations’ financial risk exposure by imposing far tougher monetary sanctions for a breach of the Regulation. The following is a review of the two-tiered scheme.
Tier 1 breaches – being the most serious breaches, can result in fines of up to €20m or 4% of the organisation’s total worldwide annual turnover in the preceding financial year (whichever is greater)
Tier 2 breaches – being lesser breaches, can result in fines of up to €10m or 2% of the organisation’s total worldwide annual turnover in the preceding financial year (whichever is greater).
In an article published on 28 April 2017 by the NCC Group, a cybersecurity consulting firm, it estimated that if GDPR had been enacted in 2016, total fines from the UK's Information Commissioners Office (ICO) could have totalled £69m rather than an actual £880,500. While GDPR is not just about financial penalties, such fines should make its implementation a board-level issue.
Below are some other key changes the GDPR will be implementing:
1. Data Breach Notification – Controllers are required to notify the appropriate supervisory authority (in the UK this will be the Information Commissioner’s Office) of data breaches without undue delay and within 72 hours (if feasible) of learning about the breach, unless the breach is unlikely to result in risk to the rights and freedoms of individuals. Controllers are also required to notify the data subject of the breach without undue delay if the breach is likely to result in a high risk to the rights and freedoms of individuals.
Notification must describe the nature of the data breach, the categories and the approximate number of data subjects and personal data records concerned, the contact information to the organisation’s data protection officer, the likely consequences of the breach and the measures the Controller has taken or proposes to take to address and mitigate the breach.
Processors are required to notify the controller of a data breach without undue delay after becoming aware of the breach.
2. Data Protection Officers (DPO) – Any controller or processor that is (i) a public authority or body (except for courts acting in their judicial capacity), or (ii) whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, or processing on a large scale of special categories of data and personal data relating to criminal convictions and offences, will need to appoint a DPO. As well as setting out when you need to designate a DPO, the GDPR also details the tasks and responsibilities of a DPO.
3. Greater rights for data subjects – The GDPR seeks to protect and strengthen the rights of data subjects with a number of its provisions, accompanied with stricter enforcement. Several of the data subject rights under the Regulation will be of a greater administrative burden to organisations, and organisations may need to implement new processes and systems. The new and enhanced rights afforded to individuals under the GDPR include the right 'to erasure' or 'to be forgotten', the right 'to restrict processing', the right 'to data portability', the right 'to object and automated individual decision-making' and enhanced data subject access requests.
The broader rights available to a data subject means it is likely that organisations will receive a wider range of data subject requests. In particular, under the Regulation organisations will be required to notify third parties of any rectification, erasure or restriction requested by the data subject unless that proves impossible or involves disproportionate effort. For organisations who disclose large amounts of data to third parties, this may be particularly burdensome.
Many changes required by the GDPR will take time to implement, including new or revised policies and procedures, employee training, and in some cases technology updates.
The Information Commissioner’s Office (ICO) will enforce the regulation in the UK and their website has useful information and guidance on GDPR.
Data security remains an important aspect under this regulation. Lockton specialises in a range of services including data breach response, information security and reputational harm recovery. Visit their website to find out more: www.locktoninternational.com
Peter Erceg – Senior Vice President, Global Cyber & Technology, Lockton Companies LLP
Please note that the purpose of this article is to provide a summary of and our thoughts on the law. It does not contain a full analysis of the law nor does it constitute an opinion by Lockton Companies LLP on the law discussed. The contents of this article should not be relied upon and you must take specific legal advice on any matter that relates to this. Lockton Companies LLP accepts no responsibility for loss occasioned to any person acting or refraining from acting as a result of the material contained in this article. No part of this article may be used, reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, reading or otherwise without the prior permission of Lockton Companies LLP.
Find out more during ACCA's GDPR webinar ACCA is hosting a webinar which will provide an overview of the demands of GDPR on Monday 16 October at 18:00. Register your place now to attend live or watch on demand afterwards.