28/05/2024The Digital Markets, Competition and Consumers Act 2024: What it Means for ‘Direct to Consumer’ Business
The Digital Markets, Competition and Consumers Act 2024 (‘DMCC Act’) was passed on 24th May… Read more
02/02/2018
Partner Jonathan Riley and Solicitor Emily Parker from our Commercial, Media & Technology (CMT) team highlight the legal issues to be addressed by a GDPR Compliance Programme and list project actions for organisations conducting such a programme.
Background
Legal Issues to be addressed by a GDPR Compliance Programme
Personal data must be lawfully processed and GDPR sets out various grounds upon which businesses may rely to process personal data. As with the DPA, under GDPR, personal data may be lawfully processed with the consent of the data subject to that processing and this is the ground upon which many companies presently rely in the first instance, including for the processing of the personal data of customers and employees.
In the case of employees, for example, the purposes for which an employer processes that personal data are typically for purposes related to the administration of the employment contract, the provision of employee benefits and compliance with employment legislation; these purposes are all very much in line with the expectations of the employee and accordingly obtaining the data subject’s consent is usually straightforward.
However, when processing personal data, businesses should consider whether there is a more appropriate ground under GDPR on which they can rely in order to lawfully process such data, other than consent. So, to continue with the above example, GDPR requires that where processing is necessary for the administration of a contract (for example an employment contract) the data controller should rely on that ground and should only rely on the data subject’s consent for any additional processing purposes. Any such further data subject’s consent should be ‘unbundled’ from the contract (i.e. provided separately) so that the data subject’s attention is more specifically directed to the consents being sought.
There will be additional requirements under the Data Protection Bill for employers processing ‘special categories’ of data and personal data relating to the criminal convictions and offences (known as ‘sensitive data’ under the DPA) of their employees. Special categories of data include data which relates to: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation.
Consent
GDPR also enhances the requirements for obtaining a valid consent from a data subject including the granularity of the explanation of the processing purposes for which consent is being sought. GDPR does not require the automatic ‘refreshing’ of all consents previously obtained, but those consents must be reviewed to ensure that they meet GDPR standards and should be refreshed if they do not do so. Further, when dealing with ‘special categories’ of data and personal data relating to criminal convictions and offences; transferring personal data cross-border; or making decisions based on automated personal data processing, obtaining a higher level of “explicit” consent is required.
Right to be Informed
A data controller has an obligation to provide certain ‘fair processing information’ to data subjects, typically through a privacy notice (e.g. on a web site) or a fair processing notice (e.g. to employees). GDPR sets out the information to be supplied and when individuals should be informed. Privacy policies should be reviewed accordingly.
The circumstances in which a data breach must be notified to the ICO and/or to the data subject have a lower ‘risk’ threshold under GDPR than under the current data protection regime.. A breach which leads to the loss, alteration, or unauthorised disclosure of, or access to, personal data likely to have a significant detrimental impact on the individual if unaddressed must be notified to the ICO within the first 72 hours of becoming aware of a breach. If this risk is high, notification must also be made to the relevant data subjects. Data breach policies and procedures should be updated accordingly.
A ‘data controller’ is a person who determines the purposes for which data is processed. A ‘data processor’ is a person who processes data but only for the purposes of a data controller. GDPR imposes direct legal obligations on to data processors for the first time, but also places further obligations on data controllers to ensure that their contracts with data processors contain the relevant data processing provisions. Any data processing agreements between an organisation as data controller and its third party data processors should be updated accordingly (and it should be noted that for this purpose a data processing agreement is simply one under which any personal data is processed whether or not that is the principal purpose of the agreement).
A data subject has always had the right to obtain access to their personal data held by a data controller in order to be aware of and verify the lawfulness of its processing. GDPR tightens up some of the procedural requirements in this respect including timescales and the manner in which the information is to be provided. So, whilst the data subject’s rights are substantively preserved, organisations will need to update their policies and procedures for responding to DSARs accordingly. A copy of the information is to be provided free of charge, unless a request is ‘manifestly unfounded’ or excessive (for example, if it is repetitive).
The GDPR introduces enhanced rights for data subjects including the so-called ‘right to be forgotten’, which is the right for an individual to request the deletion or removal of their personal data where there is no compelling reason for its continued processing under the GDPR, and companies need to consider how best to achieve technical compliance with this requirement should such requests be made. Simply deleting personal data from a record may break referential integrity (for example, removing a person from accounting records which is a historic fact and which the organisation may need to audit against); other options include ‘soft delete’ (mark the record as deleted but not actually remove it) or ‘pseudonymisation’ (blanking or replacing data on a field by field basis). We recommend that companies adopt a pragmatic approach of reviewing the technical options whilst awaiting the relevant ICO guidance.
GDPR’s introduces a new ‘accountability’ principle which requires organisations to be able to show both that they comply and how they comply with data protection principles. GDPR also requires records of processing activities to be maintained, which is linked to the manner in which compliance with the accountability principle is evidenced.
We recommend the creation of a master ‘Records of Processing Activities’ document containing a live record of all personal data processing activities or similar record.
Compliance should also be demonstrated through the updating and implementation of relevant policies and staff training and awareness.
A private sector organisation is required to appoint a DPO if its core activities involve the regular, systematic and large-scale monitoring of data subjects. However, none of the terms ‘core activities’, ‘regular and systematic’ or ‘large-scale’ are precisely defined in GDPR.
Given the new ‘accountability’ principle and the new requirements for ‘privacy by design and by default’, we believe that many private sector organisations will in any event appoint a DPO, whether or not it is mandatory for them to do so, and we would endorse that approach. It should be noted, however, that even where the appointment of a DPO is voluntary, the organisation must then adhere to relevant aspects of the GDPR which are applicable to organisations with DPOs.
GDPR permits the appointment of a single DPO to oversee the data processing activities of a group of undertakings.
‘By Design’: When determining the means of processing, and when processing, GDPR requires a data controller to implement technical and organisational measures designed to implement data protection principles in an effective manner and integrate safeguards.
‘By Default’: GDPR requires a data controller to implement technical and organisational measures so that, by default, only the personal data necessary for the specific purpose is processed.
Data protection impact assessments (DPIAs) are mandatory in certain circumstances under the GDPR and will be key in helping businesses in meeting these requirements.
GDPR continues to require that personal data may only be transferred outside of the European Union in compliance with the conditions of transfer which basically means that either the relevant country has been determined to provide an adequate level of protection or appropriate safeguards are in place.
GDPR has extra-territorial effect: a data controller based outside the EU which processes the personal data of EU data subjects in connection with the offering of its goods or services internationally including to EU data subjects is subject to GDPR even when that processing takes place outside of the EU.
A data controller is legally required under GDPR to ensure that any personal data of EU data subjects which is processed on its behalf or at its direction by a third party data processor is processed in compliance with GDPR, and this obligation applies to data controllers based outside of the EU and includes its third party data processors outside of the EU on the basis that they are conducting activities related to the offering of goods or services to EU data subjects.
To comply with its legal obligations such a data controller will enter into a data processing agreement with each service provider which processes the personal data of EU data subjects on its behalf or at its direction. That agreement will probably usually incorporate the ‘standard contract clauses’ published by the European Commission for use in data processing agreements between data controllers and data processors, although there are other lawful bases for such processing for example in the US the data processor may self-certify under the EU-US Privacy Shield.
GDPR Project Actions
The above exercise should also identify any documents relevant to any of the above matters including contracts and policies, so that:
For businesses of a certain size, GDPR requires records of processing activities to be maintained. We recommend that this is undertaken by all organisations in any event as GDPR’s new ‘accountability’ principle requires organisations to be able to show how they comply with data protection principles. The results of the above exercise will be used both to prepare for the introduction of GDPR and to lay the foundation for compliance with these GDPR requirements.
The programme will include documenting:
(Disclaimer: This briefing is designed as a guide providing a summary of aspects of the subject matter. It does not purport to be comprehensive or to offer legal advice, and Memery Crystal expressly disclaims any liability for express or implied warranties or representations contained in, or for omissions from, this briefing. All rights reserved.)
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
The Digital Markets, Competition and Consumers Act 2024 (‘DMCC Act’) was passed on 24th May… Read more
Memery Crystal Partner and leading gambling expert, Carl Rohsler, announces the publication of the ninth… Read more
On 16 April 2024, Memery Crystal and Rosenblatt held the latest roundtable in our… Read more
What does a UK business (‘data exporter’) wishing to transfer personal data to another business… Read more