Conducting a GDPR Compliance Programme

Background

1. The General Data Protection Regulation (GDPR) introduces a new data protection regime with effect from 25th May 2018. GDPR builds on the existing regime, implemented in the UK by the Data Protection Act (DPA) 1998, which means that many of GDPR’s principles will be familiar, but there are enhanced requirements in certain respects and GDPR also introduces some additional regulatory requirements.
2. All companies are required to be GDPR compliant by 25th May 2018. However, it should be noted that some relevant ICO Guidance is not yet available and publication dates for such guidance are not yet set.
3. The Data Protection Bill 2017 which (when enacted) will replace the current Act, has not yet been finalised. The intention behind this Bill is for the UK to exercise the national derogations permitted under the GDPR, whilst also attempting to ensure that the UK and EU data protection regimes are aligned following Brexit.

Legal Issues to be addressed by a GDPR Compliance Programme

4. Lawful Processing

Personal data must be lawfully processed and GDPR sets out various grounds upon which businesses may rely to process personal data. As with the DPA, under GDPR, personal data may be lawfully processed with the consent of the data subject to that processing and this is the ground upon which many companies presently rely in the first instance, including for the processing of the personal data of customers and employees.

In the case of employees, for example, the purposes for which an employer processes that personal data are typically for purposes related to the administration of the employment contract, the provision of employee benefits and compliance with employment legislation; these purposes are all very much in line with the expectations of the employee and accordingly obtaining the data subject’s consent is usually straightforward.

However, when processing personal data, businesses should consider whether there is a more appropriate ground under GDPR on which they can rely in order to lawfully process such data, other than consent. So, to continue with the above example, GDPR requires that where processing is necessary for the administration of a contract (for example an employment contract) the data controller should rely on that ground and should only rely on the data subject’s consent for any additional processing purposes. Any such further data subject’s consent should be ‘unbundled’ from the contract (i.e. provided separately) so that the data subject’s attention is more specifically directed to the consents being sought.

There will be additional requirements under the Data Protection Bill for employers processing ‘special categories’ of data and personal data relating to the criminal convictions and offences (known as ‘sensitive data’ under the DPA) of their employees. Special categories of data include data which relates to: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation.

Consent

GDPR also enhances the requirements for obtaining a valid consent from a data subject including the granularity of the explanation of the processing purposes for which consent is being sought. GDPR does not require the automatic ‘refreshing’ of all consents previously obtained, but those consents must be reviewed to ensure that they meet GDPR standards and should be refreshed if they do not do so. Further, when dealing with ‘special categories’ of data and personal data relating to criminal convictions and offences; transferring personal data cross-border; or making decisions based on automated personal data processing, obtaining a higher level of “explicit” consent is required.

Right to be Informed

A data controller has an obligation to provide certain ‘fair processing information’ to data subjects, typically through a privacy notice (e.g. on a web site) or a fair processing notice (e.g. to employees). GDPR sets out the information to be supplied and when individuals should be informed. Privacy policies should be reviewed accordingly.

5. Data Breach

The circumstances in which a data breach must be notified to the ICO and/or to the data subject have a lower ‘risk’ threshold under GDPR than under the current data protection regime.. A breach which leads to the loss, alteration, or unauthorised disclosure of, or access to, personal data likely to have a significant detrimental impact on the individual if unaddressed must be notified to the ICO within the first 72 hours of becoming aware of a breach. If this risk is high, notification must also be made to the relevant data subjects. Data breach policies and procedures should be updated accordingly.

6. Data Processors

A ‘data controller’ is a person who determines the purposes for which data is processed. A ‘data processor’ is a person who processes data but only for the purposes of a data controller. GDPR imposes direct legal obligations on to data processors for the first time, but also places further obligations on data controllers to ensure that their contracts with data processors contain the relevant data processing provisions. Any data processing agreements between an organisation as data controller and its third party data processors should be updated accordingly (and it should be noted that for this purpose a data processing agreement is simply one under which any personal data is processed whether or not that is the principal purpose of the agreement).

7. Data Subject Access Request

A data subject has always had the right to obtain access to their personal data held by a data controller in order to be aware of and verify the lawfulness of its processing. GDPR tightens up some of the procedural requirements in this respect including timescales and the manner in which the information is to be provided. So, whilst the data subject’s rights are substantively preserved, organisations will need to update their policies and procedures for responding to DSARs accordingly. A copy of the information is to be provided free of charge, unless a request is ‘manifestly unfounded’ or excessive (for example, if it is repetitive).

8. Data Retention / ‘Right to be Forgotten’

The GDPR introduces enhanced rights for data subjects including the so-called ‘right to be forgotten’, which is the right for an individual to request the deletion or removal of their personal data where there is no compelling reason for its continued processing under the GDPR, and companies need to consider how best to achieve technical compliance with this requirement should such requests be made. Simply deleting personal data from a record may break referential integrity (for example, removing a person from accounting records which is a historic fact and which the organisation may need to audit against); other options include ‘soft delete’ (mark the record as deleted but not actually remove it) or ‘pseudonymisation’ (blanking or replacing data on a field by field basis). We recommend that companies adopt a pragmatic approach of reviewing the technical options whilst awaiting the relevant ICO guidance.

9. Accountability and Data Processing Records

GDPR’s introduces a new ‘accountability’ principle which requires organisations to be able to show both that they comply and how they comply with data protection principles. GDPR also requires records of processing activities to be maintained, which is linked to the manner in which compliance with the accountability principle is evidenced.

We recommend the creation of a master ‘Records of Processing Activities’ document containing a live record of all personal data processing activities or similar record.

Compliance should also be demonstrated through the updating and implementation of relevant policies and staff training and awareness.

10. Data Protection Officer (DPO)

A private sector organisation is required to appoint a DPO if its core activities involve the regular, systematic and large-scale monitoring of data subjects. However, none of the terms ‘core activities’, ‘regular and systematic’ or ‘large-scale’ are precisely defined in GDPR.

Given the new ‘accountability’ principle and the new requirements for ‘privacy by design and by default’, we believe that many private sector organisations will in any event appoint a DPO, whether or not it is mandatory for them to do so, and we would endorse that approach. It should be noted, however, that even where the appointment of a DPO is voluntary, the organisation must then adhere to relevant aspects of the GDPR which are applicable to organisations with DPOs.

GDPR permits the appointment of a single DPO to oversee the data processing activities of a group of undertakings.

11. Privacy By Design / Privacy By Default

‘By Design’: When determining the means of processing, and when processing, GDPR requires a data controller to implement technical and organisational measures designed to implement data protection principles in an effective manner and integrate safeguards.

‘By Default’: GDPR requires a data controller to implement technical and organisational measures so that, by default, only the personal data necessary for the specific purpose is processed.

Data protection impact assessments (DPIAs) are mandatory in certain circumstances under the GDPR and will be key in helping businesses in meeting these requirements.

12. Transfer of Data

GDPR continues to require that personal data may only be transferred outside of the European Union in compliance with the conditions of transfer which basically means that either the relevant country has been determined to provide an adequate level of protection or appropriate safeguards are in place.

13. Extra-Territorial Effect

GDPR has extra-territorial effect: a data controller based outside the EU which processes the personal data of EU data subjects in connection with the offering of its goods or services internationally including to EU data subjects is subject to GDPR even when that processing takes place outside of the EU.

A data controller is legally required under GDPR to ensure that any personal data of EU data subjects which is processed on its behalf or at its direction by a third party data processor is processed in compliance with GDPR, and this obligation applies to data controllers based outside of the EU and includes its third party data processors outside of the EU on the basis that they are conducting activities related to the offering of goods or services to EU data subjects.

To comply with its legal obligations such a data controller will enter into a data processing agreement with each service provider which processes the personal data of EU data subjects on its behalf or at its direction. That agreement will probably usually incorporate the ‘standard contract clauses’ published by the European Commission for use in data processing agreements between data controllers and data processors, although there are other lawful bases for such processing for example in the US the data processor may self-certify under the EU-US Privacy Shield.

GDPR Project Actions

14. The first project action is for an organisation to carry out its own ‘Data Mapping’ exercise, which is an exercise to review:

• the personal data which it holds;
• the sources of that data;
• the purposes for which it is used;
• where the data is held (on which drives, servers etc. and in which countries);
• the third parties with whom it is shared; and
• the lawful basis upon which it is processed (consent; necessary for performance of contract etc.).

The above exercise should also identify any documents relevant to any of the above matters including contracts and policies, so that:

• A review of the organisation’s relationships should be conducted to identify those relationships with third parties under which personal data flows either from or to the organisation and a schedule of contracts compiled for review for GDPR compliance; and
• All policies, including those policies intended to be incorporated into the terms of employment of the organisation’s employees, should be compiled for review for GDPR compliance.

For businesses of a certain size, GDPR requires records of processing activities to be maintained. We recommend that this is undertaken by all organisations in any event as GDPR’s new ‘accountability’ principle requires organisations to be able to show how they comply with data protection principles. The results of the above exercise will be used both to prepare for the introduction of GDPR and to lay the foundation for compliance with these GDPR requirements.

15. Revision of data subject consents, including any marketing consents, provided to the organisation.
16. Revision of the organisation’s data-related policies, including data subject access request procedures and data retention policies, for GDPR compliance.
17. Revision of the organisation’s standard terms of employment, fair processing notice and relevant employee policies for GDPR compliance, including reliance primarily upon ‘necessary processing’ rather than ‘consent’ as the basis for lawful processing.
18. Review of the data protection provisions in those third party contracts under which personal data flows either from or to the organisation. Where the organisation is the data processor or has contracted on a third party’s standard terms it may well be that the next stage will then be for the organisation to request proposals for GDPR compliance from the relevant third party.
19. Revision of the organisation’s privacy policies including website privacy and cookie policy and related content.
20. Staff awareness and training to be undertaken across all areas of the business in respect of GDPR compliance.
21. The organisation to consider who is to assume the role of DPO.
22. Preparation of guidance on data subject rights, including objections to the processing of personal data and data subject requests to erase personal data or to suppress the processing of personal data.
23. Preparation of guidance on GDPR implications for IT systems requirements including (i) data processing impact assessments, (ii) data portability, (iii) ‘privacy by design’ and ‘privacy by default’, and (iv) automated decision making and profiling.
24. To meet GDPR’s requirement for internal records to be maintained of data processing activities a master ‘Records of Processing Activities’ document containing a live record of all processing activities or similar should be created and maintained.
25. The effect of the GDPR’s ‘accountability’ principle is that organisations will need to implement a data protection compliance programme, because that programme will document how the organisation complies with the data protection principles. The DPO should ideally take the lead in implementing and maintaining this programme.

The programme will include documenting:

• The appointment and role of the DPO;
• The integration of data protection policies into wider corporate policies;
• The integration of data protection into systems and processes (including where DPIAs should be undertaken);
• Lawful processing (consents held etc.);
• Processing activities;
• Privacy notices;
• Accountability of data processors;
• Compliance with data subjects’ rights;
• Security breach management;
• Risk assessments; and
• Training.

(Disclaimer: This briefing is designed as a guide providing a summary of aspects of the subject matter. It does not purport to be comprehensive or to offer legal advice, and Memery Crystal expressly disclaims any liability for express or implied warranties or representations contained in, or for omissions from, this briefing. All rights reserved.)